Earlier today, Canada’s Privacy Commissioner, Jennifer Stoddart, submitted to Parliament the OPC’s Annual Report on PIPEDA for the period from January 1 to December 31, 2009.
As the Commissioner notes, “the dominant theme of [the OPC's] work in 2009 was the protection of privacy in an increasingly online, borderless world. A case in point was the investigation that resulted in more public attention than any other in [the OPC's] history: Facebook.” The Commissioner notes two key issues, namely, Data without borders and Risks remaining in the wake of mortgage broker breaches.
The federal government introduced legislation today to amend PIPEDA and re-introduce the Anti-Spam Bill. I’ve previously posted here regarding the anticipated changes to PIPEDA and here about the Anti-Spam Bill.
From today’s news release:
The Honourable Tony Clement, Minister of Industry, and the Honourable Denis Lebel, Minister of State (Economic Development Agency of Canada for the Regions of Quebec), today announced two steps that the Government of Canada is taking to enhance the safety and security of the online marketplace. Together, the tabling of amendments to the legislation protecting the personal information of Canadians (Personal Information Protection and Electronic Documents Act, or PIPEDA) and the reintroduction of anti-spam legislation in the House of Commons (the proposed Fighting Internet and Wireless Spam Act, or FISA) are important steps towards positioning Canada as a leader in the digital economy.
Continuing a series of blog posts that I’m calling “A Conversation with…“, I’m really pleased to post the following conversation with the Information and Privacy Commissioner of Saskatchewan, Gary Dickson, Q.C.
Gary Dickson was appointed as Saskatchewan’s first full-time Information and Privacy Commissioner back in 2003, and he was re-appointed in 2009 for a further five-year term. That’s great news because Gary Dickson has been outstanding in his role as Commissioner. On a personal note, I’ve been thrilled to watch his many successes as Commissioner. I’ve known Gary for many years. In fact, it was he who suggested that I get involved with the Canadian Bar Association at a time when some of us were trying to form what is now the CBA’s National Privacy and Access Law Section.
Thanks to Commissioner Dickson for agreeing to take part in this online Q & A conversation. CFL fans may find some humour in the last Q & A below. Go Bombers! If you’d like to learn more about Commissioner Dickson or the Office of the Saskatchewan Information and Privacy Commissioner (“IPC”), I’d encourage you to visit the IPC’s website.
Q. You were previously an Alberta MLA. In that capacity, you were involved in privacy law development as the critic for the Freedom of Information and the Protection of Privacy portfolio, and also on several important privacy law committees and panels. What’s it like to now be involved with privacy as the Information and Privacy Commissioner of Saskatchewan?
A. The experience is exciting, stimulating, and almost always challenging. I am very fortunate that our office has a committed team of excellent staff who are focused on ensuring that Saskatchewan residents enjoy the full benefit of our provincial access and privacy laws. I’m very lucky to continue to be involved with such a fascinating area but from a very different perspective than that of a lawmaker. It has been very useful to have had that experience in the development of access and privacy legislation before I assumed the new Commissioner role in Saskatchewan. I hope that I am more aware and more sympathetic to the challenges and issues that arise with any access and privacy law for front line workers. It has certainly motivated me to promote wherever possible making such laws simpler and more accessible to the people who must administer them and for those who are the ‘data subjects’. I have also enjoyed the opportunity to modestly influence the way that our access and privacy laws are viewed and understood. My experience in Saskatchewan has been that those who work in public bodies or health trustee organizations genuinely want to do the ‘right thing’ in terms of transparency and privacy protection but are often unsure on where the line is drawn and are unfamiliar with best practices that have evolved over the last 26 years in Canada. As a result, a major focus for my initial five years in Saskatchewan has been on raising awareness and creating tools to assist those workers meet their statutory responsibilities.
Q. While Alberta, Quebec, British Columbia and Ontario (for personal health information only) have provincial privacy laws that are “substantially similar” to PIPEDA, Saskatchewan does not. Is it time for that to change?
A. I have for the last six years encouraged the former provincial government and now the current government to carefully consider the advantages of adopting a PIPA type law based on the B.C. and Alberta experience. As it stands, our fundraising foundations and NGOs, including those that deal with significant amounts of sensitive, prejudicial personal information are effectively unregulated. We often hear complaints from employees working in private businesses (not federal works, undertakings, etc.) who are extremely disappointed and upset when we tell them that they do not have the same privacy protection guaranteed to all public sector employees in Saskatchewan. I must acknowledge that the federal Privacy Commissioner has recently undertaken a pilot project in Saskatchewan to raise awareness of PIPEDA but this exercise also has highlighted how big the knowledge deficit is in the small and medium sized business sector. I remain of the view that Saskatchewan individuals, businesses and charitable NGOs should all benefit from a simple private sector privacy law. This could be designed to complement and harmonize with our public sector FOIP and Local Authority FOIP Acts and our Health Information Protection Act. It would allow for a more seamless kind of privacy protection that would be simpler for those organizations and for residents. I notice that the impetus for PIPA in BC and Alberta was really business organizations such as Chambers of Commerce realizing that PIPEDA is in some respects cumbersome and deficient for the SME sector. Business organizations in Saskatchewan do not appear to have adopted that view.
Q. The Saskatchewan Gaming Corporation has been recognized as a positive privacy story. What has it done, and what role has your office had in this development?
A. This is a good example of how an Information and Privacy Commission office can perhaps achieve more through consultation than by emphasizing the enforcement role. We started out a year ago with a complaint that the Casino Box Office in Regina required anyone purchasing a ticket for a show to provide name and contact information even if purchasing the ticket with cash. When we followed up with the Saskatchewan Gaming Corporation that operates the casinos in Regina and Moose Jaw, we found no senior identified FOIP Coordinator or Privacy Officer, no appropriate policies and procedures and no comprehensive training program for staff. Instead of focusing solely on the collection of personal information by the Box Office, we spent the better part of the year working with the Corporation in fundamentally reorganizing to meet its FOIP responsibilities as a ‘government institution’. With the assistance of a Portfolio Officer from our OIPC, the Corporation made a senior Vice President the new Privacy Officer and FOIP Coordinator. Comprehensive policies were put in place and a new FOIP training program rolled out. In the casino, the Box Office now only collects personal information if the ticket purchaser volunteered that information but it is no longer mandatory. In addition, prominent signage now advises customers of the Corporation’s information collection practices. There is also new literature readily available to customers. I think that as a result of our collaboration the Corporation and its leadership now view our office as a useful resource and as an office genuinely committed to operating on the basis of cooperation and collaboration.
Q. You’ve published a best practices guide for mobile device security. It’s getting easier to collect and store personal information, but are we keeping up with our privacy responsibilities in the meantime?
A. I’m afraid that privacy risks are not always top-of-mind for organizations embarking on new IT programs, systems, etc. Although we have developed a Privacy Impact Assessment tool available on our website, there is no statutory requirement that a PIA be done by a public body or health trustee before proceeding with new technology. What is perhaps even more troubling is that we see problems with old technology. Our office brought out a FAX advisory after we found a number of health information trustees didn’t appreciate that when the modern multi-use copier machine is sold as surplus equipment it likely will contain memory of the documents it has processed and perhaps substantial amount of personal health information. Look at the number of cases that have come to Information and Privacy Commissioners across the country that involved theft of unencrypted laptops. So, the short answer is that many organizations are not keeping up with their privacy responsibilities. The education and compliance challenge continues apace.
Q. Your office opened more than double the amount of case files in 2009 than it did in 2008. Is this number going up because of inadequate privacy practices, because the public is becoming more aware of its privacy rights, or both?
A. Good question. I think the answer is some of both. I believe there is significantly higher privacy awareness with the organizations that my office oversees and also greater public awareness. The difficult question is how accurately we can assess what is going with all approximate 3000 organizations that we oversee given that we are largely in a reactive role. In any given year if we are dealing with 200 organizations are these just the few ‘bad apples’ or is this indicative of widespread non-compliance. We simply don’t have the resources to be able to accurately assess and catalogue privacy compliance province wide. At the end of the day however, whatever the reason for the large increase in case files there is an indication that a lot more work is yet to be done to move to a more pervasive privacy protective culture.
Q. Looking forward, what kind of privacy developments should we watch for in 2010?
A. One of the interesting ‘growth’ areas will be the electronic health record. Our office just issued our first Investigation Report (H2010-001) dealing with our electronic health record now in development. This involved a pharmacist who entered the Pharmaceutical Information Program database on nine different occasions to view medication profiles for three individuals who were not patients/customers of that pharmacist of the pharmacy he worked for. We identified a number of problems in terms of HIPA compliance with the pharmacy, the regional health authority and the Ministry of Health. We also issued more than 20 recommendations for remedial action. Since the electronic health record is still some distance from completion, I anticipate that there may be more of this type of complaints touching on some element or another of the E.H.R. In fact, at the end of my Investigation Report, I included a Postscript which incorporated a number of broader considerations that this particular case highlighted.
We will be carefully monitoring changes to our health information regulations that enable regional health authorities to disclose certain personal health information of patients to hospital foundations without prior consent of those patients.
Finally, we are witnessing a number of new information and data-sharing initiatives with Executive Government and we expect to be busy considering these initiatives in the next few years.
Q. And, finally, how many points do you think the Winnipeg Blue Bombers will beat the Saskatchewan Roughriders this year in the Labour Day Classic game?
A. I love the fact that all of those Bomber fans come to Regina and generously spend their dollars in our hotels and restaurants and I always feel badly for their long drive back to Winnipeg. Sorry Brian but I don’t see that the return trip to Winnipeg is likely to be any more joyous in 2010!!
Given the level of interest and need for businesses to learn about Canada’s proposed anti-spam legislation, I’ll be offering the following webinar on April 14th from 2:00 – 3:00 PM (CST) / 3:00 – 4:00 PM (EST). Here are the details…
Canada’s proposed anti-spam legislation, called the Electronic Consumer Protection Act, is about to fundamentally alter online marketing activities in Canada. It’s perhaps the most comprehensive type of anti-spam legislation in the world, which will regulate commercial electronic messages and impose stiff new anti-spyware provisions. It’ll also amend Canada’s PIPEDA and Competition Act. Is your business ready?
Learn more during this webinar, at which time we’ll survey the following:
Commissioner Work is as personable as he is professional. I’ve had the pleasure to speak at privacy conferences with Commissioner Work and let’s just say that I’m glad I presented first! As privacy professionals will know, he’s a plain spoken, intelligent speaker and so his sessions are always a “must attend”.
Thanks to Commissioner Work for agreeing to engage in this online Q & A conversation. If you’d like to learn more about Frank Work, the Office of the Information and Privacy Commissioner of Alberta (the “Alberta OIPC”) or the issues raised in this conversation, I’d encourage you to visit the Alberta OIPC’s website.
Q. Your office has investigated identity theft arising from crystal meth abuse. What’s the link between the two?
A. A couple of years ago the Edmonton police raided a hang out for meth users. They found a lot of papers from businesses in the area, which they gave to us. Cell phone contracts, credit bureau checks, credit card information and so on. The police told me that meth users, unlike some other substance abusers, are pretty alert when they are high. They don’t sleep. They have lots of time to do the kind of detailed work necessary to engineer credit card fraud and identity theft.
Q. So what can the public do to protect itself from that kind of identity theft?
A. Individuals should shred bank and credit card statements. They shouldn’t carry certain ID, like birth certificates, on them. These kinds of foundation documents are very useful for identity theft. Always report lost or stolen credit cards, but also lost or stolen driver’s licences, birth certificates, and passports. Check your bank and credit card statements to make sure someone else isn’t using them. Do a credit bureau reference on yourself maybe once a year. If your score is lower than you think, find out why. If your score changes from one year to the next, find out why. Sometimes it can be identity theft (someone using your good name). Sometimes it can be an error on the part of the credit bureau.
The other side of the problem is organizations that have peoples’ info. They must take proper care of it. As I said, we have been given credit reports, draft mortgages, cell phone contracts, purchase of goods contracts and bookkeepers files, all thrown away. These papers all have potential for fraudulent use. Businesses need to shred this stuff. Furthermore, for businesses that have customer databases, how well secured is it? Who on their staff has access to it? We have had cases where someone in the business is taking the info and using or selling it for fraud and identity theft.
Q. Alberta’s private sector privacy legislation was recently amended to include mandatory breach notification. How will this impact privacy regulation in, and outside of, Alberta?
A. It is early days yet. Hopefully it will make organizations extra careful with personal information. Will that raise the bar for organizations in other provinces? Maybe. If you are going to change your practices here, you might as well change them everywhere. Possibly more provinces will legislate. A big piece of the picture will be when the Federal government amends PIPEDA in this regard. Maybe this will increase pressure to do so. It will be a challenge to figure out what “a real risk of significant harm” is. It will be a challenge to figure out in which cases there should be notice given and what kind of notice.
Q. You’ve worked as a lawyer in different countries around the world. How does Canada’s approach to privacy compare to your experience in other places?
A. We aren’t perfect but we are way ahead of most other jurisdictions. The “commissioner” system of enforcement has served us well because we do not have the kind of well funded civil society organizations which can advocate for privacy. Commissioners can and do advocate. I mean, I would love to have an ACLU, or and EPIC or an EFF in Canada. Our civil liberties people, like FIPA in BC do great work with the resources they have but resources are scarce. We need some rich people to endow some of these groups. The other thing is that I think, relative to other societies, Canadians have a disposition towards privacy. We get it to some extent. I like to think it is because we are, yes, polite, and respectful of other people. That makes us respect each other’s space. We must not lose that as the world becomes one big facebook/google culture. Teach your children well.
Q. Looking forward, what kind of privacy developments should we watch for in 2010?
A. Cyber attacks, hacks and other losses will continue. Governments will continue to bring surveillance technologies to bear every time anything bad happens. I will continue to get judicially reviewed. I would like to think people will start resisting surveillance and other intrusions into their lives but I don’t see it happening. Governments like surveillance. Heck, the public likes surveillance because we are just so bad at risk assessment. We are scared of everything it seems and we want someone to keep an eye on everything for us. It will be interesting to see if technology begins to fail us. For example, what if there is another airplane bombing attempt and the technology doesn’t prevent it? They bring in new technology. And that doesn’t prevent the next one (God forbid). Maybe they run out of technology, although, for the money involved I don’t see that happening. Someone will come up with a new toy. Will someone ever say “this technology isn’t doing what we want it to and it is costing us a bundle?” I think that will be a social shock.
I’m very pleased to be able to post the following conversation with Jennifer Stoddart.
Since becoming Canada’s Privacy Commissioner in 2003, Commissioner Stoddart has undoubtedly raised the value of privacy in a time when security, trade, technology and consumer expectations have created a volatile atmosphere for our personal information. I might add that she has accomplished this admirable feat with passion and professionalism. As a result, Canadians have been exceptionally well-served.
Of course, I’d like to thank Commissioner Stoddart for agreeing to engage in this online Q & A conversation. If you’d like to learn more about Jennifer Stoddart, the Office of the Privacy Commissioner of Canada (the “OPC”) or the issues raised in this conversation, I’d encourage you to visit the OPC’s website and blog.
Q. How did you get involved in the world of privacy?
A. Back in the spring of 2000, I happened to read an article in the New York TimesMagazine by the noted American legal scholar Jeffrey Rosen. Prof. Rosen was explaining how personal privacy was being subtly eroded in the digital age. I was fascinated.
A. Sadly. My seven-year term as Privacy Commissioner will wind up this year. On the plus side, though, I can look back with considerable pride at the progress we’ve made. The encroachments on privacy in this digital era really are staggering, but that doesn’t mean we’re letting them bowl us over.
Last year’s investigationinto a complaint against Facebook was surely the most high-profile example of the kind of influence we have. And beyond that I would say that we’re making a meaningful difference, in countless other ways, every day of the year.
Q. What are the most rewarding aspects of being the Privacy Commissioner of Canada?
A. Certainly one of the most rewarding things for me is to know that our work matters, that it has a real and positive impact on the lives of Canadians.
As you know, it’s become fashionable in some circles to suggest that privacy is pretty much dead in this era of digital exhibitionism. But I think that’s totally wrong. And the best evidence for that was the worldwide response to our Facebook investigation.
Privacy may look different today than it did a generation – or even a decade – ago. But it remains an incredibly important and cherished value to Canadians. And to the extent that my Office can help protect that value, and advance privacy rights, I would say that is the most rewarding aspect of my job.
Q. What do you consider to be the greatest challenges for the Office of the Privacy Commissioner of Canada?
A. Our biggest challenges are the same that preoccupy data-protection authorities around the world: How to safeguard privacy rights in the face of so many rapidly changing technologies. You yourself have blogged about many of them – cloud computing, behavioural marketing, genetic technologies, to name just a few.
We’re seeing unimaginable quantities of data flash around the world, including to countries where data-protection laws are slim to non-existent. We’re also seeing technologies employed in the service of national security and law enforcement, but they’re guarded behind a wall of secrecy.
So the challenges are real, and they are huge.
Q. So how does an Office like yours keep up?
A. I guess the short answer is: By working smarter. We have zeroed in on four priority privacy challenges that are shaping and streamlining our work for the years ahead: information technology, genetic technology, national security and the protection of identity integrity.
We are re-engineering our internal processes to better handle the complaints and inquiries that come to our Office. We’re picking and choosing our privacy audits and our communications and public outreach efforts in order to maximize our impact. We’re ramping up our issuance of guidance, on the theory that an ounce of prevention outweighs a pound of cure. And we’re working with the global data-protection community, since so many of the challenges are international in scope.
But, most important of all, we’ve recently attracted an infusion of very bright, very knowledgeable – and in many cases young – new employees to key positions in our Office. They are really making a difference.
Q. If you could make a few recommendations for Canadian business leaders, what would you say?
A. First I’d thank them for having embraced PIPEDA, the Personal Information Protection and Electronic Documents Act as it came into force over the past nine years. When I look at the situation of our neighbours to the south, where there is no single law at the federal level to protect the personal information of consumers in a commercial setting, I am deeply gratified by the way things can work up here.
Beyond that, I would encourage business leaders to continue to consult the guidelines we issue on specific topics for the purpose of clarifying the responsibilities of organizations under PIPEDA. And we invite them to work with us to fill any other information gaps they may have encountered.
I also want to take this opportunity to mention that data breach notification will become mandatory – and I suspect that will happen sooner rather than later. So I would encourage business leaders to start giving some thought now to how they can bring their processes into compliance.
Q. Do you have any “privacy-related” predictions for 2010?
A. I don’t think you need a crystal ball to conclude that national security will continue to dominate the privacy landscape in the year ahead. The controversy that erupted over Transport Canada’s deployment of millimetre-wave scanners at Canadian airports was just the first of the privacy-related issues that we can expect to be hearing about in 2010.
And stay tuned for more during and after the Vancouver Olympics. There, one of the big issues will revolve around the pervasive crowd surveillance measures, and what will happen with all the cameras and recordings after the flame is extinguished.
I’ll just mention two other issues of particular interest to our Office, because we will be consulting Canadians on them in the next few months. The first will focus on the tracking, profiling and targeting of consumers by marketers and other businesses, and we’ll be hosting consultation forums on that topic in Toronto in April and Montreal in May. Soon after, we’ll organize another forum to discuss the privacy implications of cloud computing.
For years now, Ontario’s Personal Health Information Protection Act has contained provisions requiring health custodians to notify individuals if their personal health information is stolen, lost or accessed by unauthorized persons. Until now, such mandatory privacy breach notification provisions have been limited to the sphere of health care in Ontario. That’s about to change.
The federal Personal Information Protection and Electronic Documents Act will likely contain mandatory privacy breach notification provisions in the near future. Since 2006, Special Committees at both the Federal and Provincial (Alberta and B.C.) levels have convened and generated a series of recommendations relating to breach notification. For further information on these recommendations, see the final reports of the Federal , Alberta and B.C. committees.
The most important recommendation independently generated by each of the committees provides that organizations should be under a statutory breach notification duty. On October 27, 2009, the initial step toward implementing this recommendation was taken in the Alberta Legislature with the first reading of Bill 54: Personal Information Protection Amendment Act, 2009. The Alberta privacy breach notification provisions will soon come into force. British Columbia and the Feds are expected to follow suit and implement similar requirements in the near future. When that occurs, private sector organizations across Canada will be required by applicable law to notify affected individuals when privacy breaches occur.
The best advice is to make sure that privacy protection policies, procedures and training are implemented and enforced… now.
Courtney’s paper, entitled “Bill 219: An Insurmountable Goal”, argues that the lawis necessary in order to “effectively protect the privacy rights of all Manitobans”. The paper outlines the main features of the Bill; examines the role of PIPEDA and the concept of “substantially similar” legislation; and analyzes the main arguments advanced for and against the Bill, as expressed in Hansard and in the context of the Bill’s legislative history. Courtney also advances theories regarding the major impediments to its passing.
Courtney was a summer student at Pitblado LLP this past summer and will (fortunately for us) be returning in the New Year to complete her Articles. Thanks to Courtney for sharing her paper, which you can read by clicking on the hyperlink below.
The U.K.’s Huffington Post is reporting that a rogue employee of a major mobile phone company has illegally sold millions of customer records to rival companies. Apparently, customers’ personal information (including contract expiry dates) was sold to several rivals, which then used the material to cold-call customers to offer them an alternative deal.
As I’ve previously written, information really is the most valuable corporate asset. And for this reason, businesses of all sizes should take steps to protect corporate information regardless of whether it is stored online or off-line. Whether it’s customer or supplier lists, intellectual property or employees’ personal information, it’s information that needs safekeeping.
This case should serve as a reminder that corporate safekeeping practices must include protecting data from rogue employees.
Is there one set of privacy rules for regular businesses and one for the media? In a past case summary, the Office of the Privacy Commissioner of Canada (the “OPC”) found that a radio station which had broadcast the name and comments of a caller who had phoned the radio station’s news tips line to relay specific details of a robbery was not a violation of the Personal Information Protection and Electronic Documents Act(PIPEDA). Why wasn’t this a violation?
PIPEDA contains provisions aimed at protecting the media’s right to “freedom of expression”, which is a pretty fundamental right worth protecting in a free and democratic society. Specifically, PIPEDA’s privacy obligations don’t apply to “any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose”. When the collection of personal information is solely for journalistic purposes, journalists aren’t required to obtain the consent of individuals about whom the information relates. The result is that if a journalist’s activities are truly “journalistic” then they can proceed with the collection and broadcast of personal information without seeking permission from individuals. Of course, it’s still a good idea to obtain consent in most circumstances despite the exemption.
When the media collects, uses or discloses personal information for reasons that are not journalistic, serious issues arise as they would for any regular business. In the finding noted above, the OPC determined that the personal information collected by the radio station was intended soley for journalistic purposes. That’s why the OPC was of the view that there had not been any violation of PIPEDA. Any illusion that the media are not bound by PIPEDA is wrong. But there are appropriate exemptions in the law that help them to conduct their important work.
In a press release, the Commissioner expressed shock and disappointment with the fact that the stolen laptops, which contained the personal health information of more 300,000 individuals, were not encrypted. “This is shocking for me…I don’t know what we have to do to drive this message home” said the Commissioner. “The standard in Alberta for storing personal or health information on portable devices is encryption. I can’t accept anything less.” The Alberta incident is strikingly similar to an incident that occurred in Ontario back in 2007. The Ontario incident also involved the theft of a non-encrypted laptop containing personal health information. A review of the incident by Ann Cavoukian, Ontario’s Information and Privacy Commissioner, produced an order for information of this type to be encrypted.
These incidents demonstrate how easily sensitive data can be compromised when stored on laptops. Encryption is a relatively easy way to improve the security of such information. But, where do you start? There are numerous encryption options available. Choices range from free open source encryption software like TrueCrypt to full information security consultations from companies that offer comprehensive data protection services like Seccuris. Regardless of which course you choose, one fact remains the same, encrypting laptops significantly improves security and that’s just smart business.
Call off the strike, some trade unions are protecting more than their members’ collective bargaining rights. In fact, many unions have taken a proactive approach to privacy by creating policies that attempt to comply with the benchmarks set out in the federal Personal Information Protection and Electronic Documents Act(“PIPEDA). However, there hasn’t yet been a case summary or court action under PIPEDA that definitively determines whether a union that collects personal information in their general capacity is obligated to observe the rules outlined in the legislation. As a result, some unions are complying with PIPEDA’s obligations to protect their members’ privacy and, regrettably, some unions are not.
The application of PIPEDA is dependent on the existence of a “commercial activity.” Although this term is vague, the case is strong that most union activities are, in fact, captured by PIPEDA. What is certain is the application of Alberta’s privacy legislation, the Personal Information Protection Act (“Alberta’s PIPA”), to the management of personal information by unions. The application of Alberta’s PIPA is not dependent on the existence of a “commercial activity”. As a result, a 2006 Investigation Report from the Alberta Information and Privacy Commissioner found that the collection of personal information by unions in their general capacity subjects them to the requirements found in Alberta’s PIPA. Manitoba’s Bill 219, The Personal Information Protection and Identity Theft Protection Act (the “Manitoba Bill”) is modeled after Alberta’s PIPA. Similar to Alberta’s PIPA, the application of the Manitoba Bill does not depend on whether an organization is engaged in a “commercial activity.”
As I’ve argued in previous posts, the Manitoba Government should support the Manitoba Bill (which was introduced as a private member’s bill by opposition member, Mavis Taillieu). The Manitoba Bill creates a level of certainty with regards to the privacy rights of union members. That’s one of the many reasons why the Manitoba government should ”cross the picket lines” to privacy and support the Manitoba Bill in this fall session of the Manitoba Legislature.
Have you heard the saying “Just when you think you understand the situation, what you don’t understand is that the situation has changed”? If you think you understand The Personal Information Protection and Electronic Documents Act (“PIPEDA”), get ready… changes may be just around the corner.
PIPEDA was introduced back in 2001. It requires the Canadian Government to review the law every five years. To this end, the House of Commons Standing Committee on Access to Information, Privacy and Ethics (the “House of Commons Committee”) conducted its review and held public hearings from November 2006 to February 2007, where it heard from over 60 witnesses and considered over 30 submissions from a wide range of interested organizations and individuals. I had the pleasure of appearing before the House of Commons Committee to present the Canadian Bar Association’s National Privacy & Access Law Section’s submission, which you can read here. The House of Commons Committee issued its report to Parliament in May 2007 (which outlined 25 recommended changes to the law), to which the Canadian Government subsequently issued its response in October 2007. As part of the Canadian Government’s response, further public consultation on key issues was requested. A link to the Office of the Privacy Commissioner’s reply to this request can be read here and the Canadian Bar Association’s response can be read here.
Changes to PIPEDA may include:
a mandatory breach notification regime that would require organizations to promptly notify affected individuals and to report major data breaches to the Privacy Commissioner of Canada;
amendments to account for the unique circumstances regarding consent in employer/employee relationships; and
modifications to allow organizations to collect, use and disclose personal information as necessary for the conduct of business transactions, such as mergers and acquisitions.
The Industry Canada website targets 2009/10 for the implementation of changes resulting from this first PIPEDA review. Yet, there is no definitive time frame, so stay tuned. Changes may be just around the corner.
Have you heard the term “cloud computing“, but aren’t really clear what it means?
Cloud computing is an umbrella term that refers to the use of Internet-hosted computer services. Think of your server — instead of having one in-house server located on company premises, an organization might opt to buy space on a third-party provider’s server. Other options include software hosting and data storage. By purchasing computing services from a variety of Internet-based providers, your computer needs are housed within a larger “cloud” of computer services.
Some organizations are opting for ”Software as a service” (SaaS), and allowing their data to reside on other company’s servers, or “the cloud“. Users only have to buy the space they need, which allows organizations to save money on their technology costs. Other benefits include access to people with technological know-how, flexibility and reduced maintenance costs.
Cloud computing is not new, but is now embedded into the fabric of modern business operations. In fact, the Los Angeles Times has reported that the city of Los Angeles is considering using Google applications for all of its software needs.
Privacy issues related to cloud computing, however, are profound. For example, many of the security questions that relate to traditional third-party data hosting were raised when a hacker broke into a Twitter employee’s work e-mail account and stole confidential company documents. The World Privacy Forum, meanwhile, has released a 28-page report on some of the privacy issues that relate to cloud computing. The report concludes that sharing information may expose some business users to liability, and emphasizes the importance of checking a cloud provider’s terms of service, privacy policy, and location.
Canadian businesses that engage in cloud computing should be reminded that they must do so in compliance with applicable privacy laws. For example, the Personal Information and Protection of Electronic Documents Act obliges organizations that transfer personal information to third parties to ensure appropriate security safeguards are in place.
They should also be mindful of the raging debate about the perils of cloud computing that has been underway now for some time. While cloud computing has the potential to provide benefits, organizations should ask themselves whether it is worth the risks it poses. You might save money in the short run, but is it worth the potential of a massive privacy breach?
While the OPC’s Facebook investigation should be a “must read” for all Facebook users, it also provides some insightful information for Canadian organizations regulated by PIPEDA. The lessons that can be learned from the investigation can be applied by Canadian businesses regardless of whether their activities are online or offline.
Despite the fact that “[i]t’s clear that privacy issues are top of mind for Facebook…” federal Privacy Commissioner Jennifer Stoddart says that the OPC has found “serious privacy gaps in the way the site operates”. According to Stoddart, in order to comply with Canadian privacy law, Facebook must take greater responsibility for the personal information in its care. An overarching concern of the OPC was that, although Facebook provides information about its privacy practices, it is often confusing or incomplete. For example, the “account settings” page describes how to deactivate accounts, but not how to delete them, which actually removes personal data from Facebook’s servers. The OPC recommends more transparency, to ensure that the social networking site’s nearly 12 million Canadian users have the information they need to make meaningful decisions about how widely they share personal information.
The investigation also raised significant concerns around the sharing of users’ personal information with third-party developers creating Facebook applications such as games and quizzes. (There are more than 950,000 developers in some 180 countries.) Facebook lacks adequate safeguards to effectively restrict these outside developers from accessing profile information, the investigation found. The report recommended a number of changes, including technological measures to ensure that developers can only access the user information actually required to run a specific application, and also to prevent the disclosure of personal information of any of the user’s friends who are not themselves signing up for an application.
The investigation also found that Facebook has a policy of indefinitely keeping the personal information of people who have deactivated their accounts, which is a violation of PIPEDA. The law requires organizations to retain personal information only for as long as is necessary to meet appropriate purposes. Recommendations to Facebook included the adoption of a retention policy whereby personal information in deactivated accounts is deleted after a reasonable length of time.
Click here to read the OPC’s News Release, here for the full investigation report and here to read a helpful backgrounder. If you’d like to read more about Facebook, please click on the Facebook link under this blog’s Tags (below).
Your business has insurance for typical business risks, but will your insurance protect you from liability arising from privacy law compliance?
People are increasingly aware of their privacy rights. This heightened awareness has translated into a greater willingness to initiate costly and time-consuming privacy complaints. Thanks to laws like the Personal Information Protection and Electronic Documents Act (PIPEDA), the reality for businesses is that non-compliance with privacy laws can take a chunk out of the bottom line. Given the costs associated with failing to meet legal standards, it’s not surprising that many insurers now offer privacy insurance coverage. But what is privacy insurance, and will it actually protect your business when you need it most? The scope of coverage offered varies depending on the provider, so it’s important to read the fineprint.
Be sure to ask what the policy covers. Some policies limit privacy insurance to protection from hacker attacks. But while hackers are a serious issue for any business, your insurance plan may need to do more. Depending on your jurisdiction and the applicable privacy laws, you may want to look for protection against any costs that can be imposed by the regulatory agencies that oversee compliance with privacy legislation. Otherwise, you might find you’re on your own for your businesses’s failure to fully meet the legal requirements for personal information under your control, including obligations to respond to access to information requests, obtain consents and ensure the accuracy of personal information holdings. It’s also a good idea to evalute your existing protection. Your current business insurance may already provide you with the coverage you need. If, for example, your errors and omissions insurance already protects you against privacy breaches, purchasing additional insurance may not be necessary.
Consider what the privacy insurance plan won’t cover. Many plans don’t cover illegal or fraudulent employee conduct, and some stop short of protecting against anything beyond the unauthorized release of personal information. Court defence costs may also be excluded. Make sure you read the plan or have your lawyer go over it before you buy it.
Finally, don’t forget that the best insurance policy is to take as many proactive steps as possible to get your privacy house in order. If you’re reading this blog, chances are you already have some of these measures in place. If not, consider comprehensive privacy policies and procedures that are reviewed and updated on (at least) an annual basis by legal counsel with expertise in privacy law. Staff privacy training is another excellent proactive step. As the saying goes, the best offence is a good defence!
It’s been a thrilling week for my colleagues at Pitblado LLP as it was announced earlier this week that we were to be the 1st Canadian law firm to be a guest blogger on the must-read slaw.ca. Yours truly, three of my colleagues from our firm’s Information & Ideas Practice Group as well as our firm’s librarian each contributed one post a day this week to slaw.ca on cutting edge legal topics. Here’s what we covered…
On Monday, I posted “What Would Happen If One of your Employees Posted a Video of an Irate Customer on YouTube?”, which I cross posted on my blog earlier this week. The post highlights a YouTube video of an irrate customer as a reminder to Canadian businesses of the powers of new technologies such as YouTube and the corresponding need to protect against the dissemination of this type of video through employee privacy training and the adoption and enforcement of privacy and procedures.
On Tuesday, Carol Lynn Schafer posted “Do TOS Have the Final Word on our Fundamental Rights and Freedoms?”, which discusses the controversial effects of Terms of Service on popular websites such as Facebook and Twitter. As Carol Lynn notes, Terms of Service should be drafted with the bigger picture in mind and can no longer be seen as standard agreements that can be treated with a one size fits all approach.
On Wednesday, Jolin Spencer posted “Whose Property Is It, Anyway?”, which discusses the questions that come into play when employees leave their positions. For example, what can an employee take, and what must they leave, when they vacate their position? As Jolin points out, no business wants its intellectual property assets walking out the door with a former employee.
On Thursday, our firm’s librarian, Karen Sawatsky, posted “Legal Research Bootcamp – Winnipeg Style”, which discusses her experience collaborating with members of the Manitoba Bar Association and the Law Society of Manitoba to create a CLE for articling students on legal research. The Legal Research Bootcamp is a first for Manitoba students, and aims to bridge the gap between when students start their articles and when CPLED begins in the fall.
The Bill has been introduced as a private member’s Bill by Mavis Taillieu of the Opposition Progressive Conservative Party of Manitoba. It seeks to regulate the collection, use and disclosure of personal information by organizations in the private sector and is intended to be “substantially similar” to the federal Personal Information Protection and Electronic Documents Act (PIPEDA). It would also establish a duty for organizations to notify individuals who may be affected when the personal information an organization has collected is lost, stolen or compromised. Such a requirement would be groundbreaking in Canada (notwithstanding Ontario’s Personal Health Information Protection Act, which has a mandatory breach notification requirement).
Regrettably, the Government of Manitoba indicated in the Legislative Assembly debate last week that it has two primary concerns with the Bill. The first concern is that the Bill lacks an independent oversight body such as a Privacy Commissioner of Manitoba. Legislative rules prevent private member’s Bills from containing financial penalties and so the Bill could not contain such provisions. However, the government could add those provisions in amendments. In fact, I assisted with the drafting of the Bill and would happily provide the government with the relevant provisions. The second concern raised by the government is that the Bill would introduce legislation in Manitoba that (according to the government) would regulate activities in the private sector already governed by PIPEDA. However, PIPEDA does not apply to the activities of private sector organizations in provinces such as Alberta and British Columbia, both of whom have Personal Information Protection Acts, because PIPEDA does not apply where “substantially similar” provincial legislation exists.
The Bill was first introduced in 2005 and since that time the need for such a law has significantly grown. It’s modelled after Alberta’s Personal Information Protection Act, which provides a more business-friendly and clear legislative scheme than PIPEDA. As I’ve previously argued, it would be good policy for the Government of Manitoba to support the Bill and I once again urge them to do so.
If you want a more business-friendly privacy law in Manitoba, I’d strongly encourage you to contact the Government of Manitoba and Mavis Taillieu to indicate your support.
Additional coverage on this topic by the Canadian HR Reporter here.
The Government of Canada announced today the introduction of anti-spam legislation called the Electronic Commerce Protection Act(“ECPA”) that “aims to boost confidence in online commerce by protecting the privacy and personal security concerns that are associated with spam, counterfeit websites and spyware.”
According to the government’s News Release, the ECPA would allow businesses and individuals to initiate civil actions against anyone who violates the law. The ECPA deals with unsolicited text messages, or “cellphone spam”, as a form of “unsolicited commercial electronic message”.
It would establish a regulatory enforcement regime that would enable the CRTC to impose penalties of up to $1 million for individuals and $10 million in all other cases. The Competition Bureau would use a penalty regime already provided for in the Competition Act, and the federal Privacy Commissioner‘s powers to cooperate and exchange information with her counterparts would be expanded in respect of the Personal Information Protection and Electronic Documents Act.
The ECPA is nearly 70 pages long. Stay tuned to this blog. As soon as I’ve been able to digest the content I’ll post again on how the ECPA is likely going to affect Canadian businesses, especially those enaged in online marketing.
The current global economic climate has led to a growing number of bankruptcy and insolvency proceedings, particularly in the U.S. In dealing with these proceedings, many business leaders have not paid enough attention to the role of privacy law and its impact on the bottom line.
A prime example is the bankruptcy of U.S. online toy retailer, Toysmart.com. Toysmart.com had collected vast amounts of personal information from its online consumers in accordance with its privacy policy, which stated that the company would never share its database with third parties. Despite the promise, Toysmart.com then made attempts to sell the database. The U.S. Federal Trade Commission (“FTC”) then sued Toysmart.com seeking injunctive and declaratory relief to prevent the sale of the database by Toysmart.com. The complaint alleged that Toysmart.com had violated U.S. law by misrepresenting to consumers that personal information would never be shared with third parties, and then disclosing, selling and offering that information for sale. Toysmart.com later settled with the FTC. The settlement agreement forbid the sale of the database except under very limited circumstances.
Of course, Canadian companies are subject to Canadian privacy laws such as PIPEDA, which require the consent of individuals for the disclosure of personal information to third parties. In structuring privacy policies, Canadian companies should consider all outcomes including bankruptcy. As a result, privacy policies should be carefully drafted with consideration of the possibility that personal information may be shared with third parties in the event of bankruptcy. Doing so will almost certainly not be enough to fully comply with Canadian legal requirements, but it’s a prudent step in the right direction – especially in these uncertain economic times.
Businesses are increasingly being asked to reduce their “carbon footprint”. And while many customers are interested in doing business with organizations that are trying to reduce their carbon footprint, many customers are also concerned about their own “digital footprints“.
The Discovery Channel has an interesting online tool that allows you to play a simple scenario by conducting your normal transactions as you would on any given day. Doing so shows you how often you provide your personal information to businesses and governments. You can then play the scenario again to try to reduce your digital footprint. Click here to play!
Businesses can help reduce their customer’s digital footprints by ensuring they only collect the personal information of customers necessary for the purposes identified by the organization and required for particular transactions. Additionally, businesses should avoid collecting personal information indiscriminately. As I’ve mentioned in a previous post, reducing the volume of personal information that a business collects (and is then responsible for safeguarding and destroying in accordance with applicable privacy laws) helps customers to reduce their “digital footprints”. It also helps businesses to comply with privacy laws like PIPEDA and improve customer relations.
Does PIPEDA apply to non-Canadians? It’s a common question.
PIPEDA applies to organizations that collect, use, or disclose “personal information” in the course of a commercial activity. The definition of “personal information” does not specify the residency of the individual to whom the personal information must relate. As a result, organizations are well-advised to manage their personal information holdings in accordance with all of the obligations set forth in PIPEDA regardless of the residency of the individuals to whom information relates. If they don’t, non-Canadians (including U.S. residents) may initiate privacy complaints to the Office of the Privacy Commissioner of Canada.
Ongoing privacy training is a vital tool to assist with privacy law compliance. In this respect, the following Canadian privacy law conferences in the coming months may be of interest to you or others in your organization:
On May 20, 2009, the Manitoba Bar Association will be hosting an IP/Technology Section luncheon where I will be speaking about emerging privacy issues. Of course, you need to be a member or a guest of the Manitoba Bar Association to attend.
From June 17 – 19th, I will be speaking in Winnipeg at the National Credit Institute‘s 2009 CIC National Conference: “Back to our Roots, Forward to our Future” on the privacy law matters affecting those in the credit industry.
The Privacy Security Trust 2009 (PST2009) will be hosting the Seventh Annual International Conference on Privacy, Security and Trust in Saint John, New Brunswick from August 25 – 27, 2009.
The 2009 IEEE International Conference on Information Privacy, Security, Risk and Trust will be held in Vancouver, British Columbia from August 29 – 31, 2009.
If there are other Canadian privacy law conferences in the coming months that I haven’t listed, please post a Comment or drop me an e-mail so I can update this post. If you, or your industry association, are interested in more focussed privacy training, please let me know as I regularly conduct in-house privacy training sessions for clients.
Another day, another development in the Google Street View story. Canada’s Privacy Commissioner and several provincial privacy commissioners have commented on street level imaging technology by releasing a timely Fact Sheet on the related privacy issues.
The commissioners point out that ”a common misconception is that a company doesn’t need your permission to take your photograph in a public place. In fact, one of your key protections under Canadian privacy law is that you should know when your picture is being taken for commercial reasons, and what your image will be used for. Your consent is also needed.”
The Winnipeg Free Press is also running an excellent story in today’s newspaper, which highlights some of the broader issues related to Google Street View. Arthur Schafer, a professor at the University of Manitoba and director of the Centre for Professional and Applied Ethics, comments in the story about the related ethical issues while I comment in the story about the related legal issues.
The looming battle between privacy advocates and Google Street View could have implications beyond Google and its Canadian-based service providers, who are currently taking detailed photos of Canadian cities. I’m quoted in today’s Winnipeg Sun article on this issue, where I argue that the implications of the Google Street View battle could extend to how Canadian privacy laws are interpreted and enforced.
If you’re not ramped up on Google Street View, you may want to read the Wikipedia description, which does a good job of explaining the Google service. David Fraser also has an illustrative blog post, which highlights the remaining privacy issues despite Google’s efforts to blur faces and licence plates.
Despite the fact that Google’s Canadian-based service providers are taking pictures in public places, Canadian privacy laws generally require the consent of individuals for the collection of their personal information. In fact, the first ever Case Summary under PIPEDA dealt with video surveillance activities in public places. In the Case Summary, the former Privacy Commissioner advised the company being investigated that its intended public video surveillance for commercial purposes was unlawful and should not be pursued. More recently, and on point, Canada’s Privacy Commissioner, Jennifer Stoddart, has sent a letter to Google outlining the concerns about Google Street View from a Canadian privacy law perspective.
I recently discussed with Nymity News some of the privacy issues related to third party opt-out websites. Specifically, I highlighted in the interview the risks facing organizations who honour requests from such websites. Marketing research organizations such as those that are members of the MRIA may find the interview of particular interest, but it’s still worth reading regardless of what industry your business operates in if you’re not yet aware of these types of third party opt-out websites.
In terms of privacy, as with many other things, each step forward seems to come with a catch that makes the step forward a little smaller than one would hope. Google, in response to demands from privacy advocates and users, has taken a progressive step forward and created a means for users of Google to opt out of their targeted advertising by allowing a user to access Google Ad Preferences to change settings or to opt out completely.
At the same time, Google has announced plans to launch a new type of targeted advertising. Currently, when an Internet user visits a webpage with Google Adsense, Google will store cookies on a user’s computer and remember their interests from previous searches. The example used by Google is that if you have an interest in gardening, you may be shown gardening ads along with those related to the site you are visiting.
While Google’s addition of its Ad Preferences program is encouraging for privacy advocates, it does come in the wake of an entirely new and -according to privacy advocates – more invasive means of targeting ads at users. As part of this new initiative, Google has asked all Google Adsense publishers to update their privacy policies to notify users of their site of the fact that interest-based advertising will be displayed.
The Privacy Commissioner once noted that although PIPEDA (and other privacy legislation) imposes obligations on organizations to take appropriate measures in protecting personal information, sometimes the more important role of privacy legislation is to help people shape their view of privacy.
By revising their privacy policies, businesses will be taking steps to comply with applicable privacy laws; but whether these steps are enough to address the expectations of their customers regarding privacy is a matter to be best considered by each business. In the meantime, if a business using Adsense has any questions about this change or requires any assistance in updating their Privacy Policy, I would encourage you to contact me to discuss.
Bell Canada recently announced that it would acquire The Source, a national electronics dealer. Bell has indicated that it will be acquiring substantially all of the assets of The Source.
I don’t know what those assets will be, but I think it is an interesting example of the fact that even in recessions we still see acquisitions of companies. When an organization’s assets are bought, one of the most valuable assets that are purchased is often its customer list.
PIPEDA and other applicable privacy laws, of course, govern transactions involving personal information. In the course of such transactions some companies are now implementing concepts once used only to secure physical assets. For example, many organizations are choosing to employ “escrow” arrangements to ensure the security of personal information.
Most businesses now understand that the implications of violating applicable privacy laws can be very serious to the reputation and bottom line of both the vendor and purchaser. As part of a sale of a customer list, and depending on the specific circumstances, both parties may agree that the customer list be placed in escrow until the transaction is completed. This ensures that what is likely the most valuable asset in the transaction – the customer list – is protected from unintended disclosures prior to the actual transfer of the business.
If you’re a privacy professional, you’re likely overwhelmed with the ongoing task of staying on top of legal, industry and technology developments. As you know, there’s no shortage of issues these days. Hopefully, this blog is helping your efforts!
But if you work for a private sector organization and haven’t yet signed up for the federal Privacy Commissioner‘s e-newsletter entitled Privacy Perspectives, I’d suggest you do. It contains great information and helps to stay on top of things.
If you’re still in need of ongoing assistance and aren’t already a member of the Privacy Forum, you may want to touch base with me to learn more. It has been a super venue over the last 6 years for information sharing and the current members are an excellent group of individuals and first rate privacy professionals.
If you’re a privacy professional you will know that Canada’s privacy laws are in place to protect the privacy rights of individuals, not businesses.
Despite this fact and that Canada’s federal privacy law, PIPEDA, has been in force since 2001, it’s surprising how many others are confused on this point.
For instance, I recently had a client make an information request to an organization for access to corporate information. When the organization responded, they denied access to the requested information and claimed that PIPEDA required that they do so in order to protect the privacy interests of a business.
There may be circumstances where organizations have other legitimate reasons for denying access to certain information. There may also be circumstances where privacy laws such as PIPEDA should be cited in denying access to certain business records where releasing the information could unlawfully disclose the personal information of another individual. Organizations should not, however, cite Canada’s privacy laws as a justification to deny access to information requests on account of the privacy rights of a business.
If you encounter this scenario you may be dealing with someone who either doesn’t understand privacy laws or who is perhaps being disingenuous. After all, the general thrust of Canada’s privacy laws is to encourage organizations to create a culture of privacy in order to protect the privacy of individuals whose personal information is collected, used, retained or disclosed by such organizations.
How is your business dealing with metadata? If you’re scratching your head and asking “what the heck is metadata?” or if you’re drawing a blank about what your business may (or may not) be doing to manage its metadata, then you should definitely read on.
For the basics on metadata, read here. As you’ll learn in more detail, “metadata” is data about data. It’s detailed information that is automatically created about an electronic document when you use Microsoft Word, PowerPoint or Excel. It can include the name of the person or organization that created a document, the date that it was created, the identities of people who modified a document, including the time and day they did so, the name of the computer that was used to create a document and detailed revisions to a document, including past modifications and deleted text not visible on your computer screen. If not properly managed, metadata can help other businesses steal your intellectual property, learn about your business processes and view personal information that you’re legally required to protect under privacy laws.
One practical way to deal with metadata is to use metadata scrubber software. Some are costly but well worth it, including Payne Metadata Assistant and Workshare Protect. There are also free tools available including a Microsoft one (but it is only for Office 2007) and one offered by Javacool Software. Of course, I’d recommend that you work with technology professionals to determine the best metadata scrubber software for your business. Regardless of whether you use one of these or other tools, it’s important that you deal with metadata in some fashion. I hope these links help provide you with a good place to start! Feel free to Leave a Comment below if you know of other metadata scrubber software worth recommending.
As the OPC points out, PIPEDA does not prohibit organizations in Canada from transferring personal information to organizations in other jurisdictions for processing, but Canadian organizations are still accountable and the OPC can investigate complaints and audit privacy practices of Canadian organizations.
an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
The primary means by which an organization can protect personal information that it transfers to a third party for processing is through a contract. Organizations must also be transparent about their privacy practices, including advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction, it may be accessed by the courts, law enforcement and national security authorities.
Check out the OPC’s Guidelines, and if your business hasn’t yet signed privacy contracts with all third parties to whom you transfer or disclose personal information, now may be the time.
Do you ever wish you were Jack Bauer from the TV show 24? Here’s your chance!
There are a growing number of articles that are highlighting the threat of “cyber-terrorism”. It’s a scary topic that is surely consuming the time of government technology infrastructure professionals in the U.S. and Canada.Some of these articles discuss the remote possibility that terrorists may perpetrate cyber-attacks against critical online government and corporate infrastructure.Other articles discuss the very real possibility that terrorists may simply use the Internet (and the information contained online) to plan attacks in the real world. Don Cavender, a special agent and instructor with the FBI’s Computer Training Unit at Quantico, Virginia, is quoted in an excellent ZDNet article and says that “the worry right now is not so much a cyberterrorism event…but when the terrorists use the Internet to facilitate the planning of these attacks.”
We all know that the Internet is filling up with vast amounts of data including people’s personal information, as well as corporate and government data.The lesson that I take from all of these “cyber-terrorism” related articles is that businesses should make sure that they are working with technology professionals to secure their databases and limit the amount of personal information and corporate data available online.Of course, there are many reasons for businesses to secure their databases and to limit what information is available online.For example, privacy laws such as Canada’s PIPEDA regulate the safeguarding of personal information.And, there are good business reasons to limit the availability of proprietary corporate data online.But, if you ever wished you were Jack Bauer, then here’s your chance to fight terrorism…one corporate move at a time.
I chaired a lively Privacy Forum member meeting yesterday, which included a great discussion on how to get staff “buy-in” on privacy compliance. It’s an important topic because an organization can have comprehensive privacy policies and procedures, but if employees don’t “buy-in” they won’t implement the policies and procedures properly.
The important thing is to develop a culture of privacy within the workplace. Fostering a workplace culture where privacy is valued and respected contributes to good employee morale and mutual trust. It also helps employees to identify privacy issues before they become privacy complaints (which can result in costly grievances, lawsuits or settlements). After all, it’s employees that are on the front line with customers and how employees respond to privacy related questions or concerns can make a big difference.
When I conduct privacy training sessions for clients, I always remind employees that while privacy compliance is the law, it’s also important because good privacy practices can improve customer relations, increase efficiencies and mitigate time-consuming and costly privacy complaints. I also try to make privacy compliance fun! No, this is not a misprint…I said “fun”. Privacy Forum members had some great suggestions on how to make privacy compliance fun and, in doing so, help to get staff “buy-in” on privacy compliance.
Please post a Comment below on ways that you or your organization tries to get staff “buy-in” on privacy.
Privacy professionals will know first hand the importance of conducting regular staff privacy training, which can mitigate customer privacy complaints and (as a result) the overall costs of privacy compliance.I certainly know from my practice that the costs to businesses can be quite significant when having to deal with serious privacy complaints.These costs can include settlements, legal fees and lost productivity.Obviously, it’s better to be proactive and reduce the chances of having to deal with privacy complaints.That’s where regular staff privacy training comes in! Businesses really should conduct staff privacy training on a regular basis – in my view, at least on an annual basis.
In a recent speech to the 10th Annual Privacy and Security Conference in Victoria, B.C., Privacy Commissioner Jennifer Stoddart commented, “Polling for my Office in 2007 found that only a third of all businesses reported having trained staff about their responsibilities under Canada’s privacy laws. This is a huge concern! We recently conducted an analysis of 86 breaches reported to my Office and found that employee awareness and training was the most important contributing factor. It was an issue in more than half of the spills we examined! We found that very basic mistakes – human errors – often lead to breaches. Breaches are caused mostly by employee misconduct and human error, not technological weaknesses.”The full speech is entitled, “A Privacy Check Up For Canadians: Is the Glass Half Empty or Half Full?” and is definitely worth reading.
My September 3, 2008 column in the Winnipeg Free Press reports on the findings of the Privacy Commissioner of Canada regarding canada.com’s outsourcing to a U.S. based service provider. The finding highlights the complexities of Canadian and U.S. laws as they relate to the personal information of customers and reminds Canadian businesses of the need to have legal agreements with third party service providers, especially those located in the U.S.
My December 3, 2008 column in the Winnipeg Free Press details the problems businesses can get in to when they keep every single piece of information on their customers, even when they no longer need it.
My April 2, 2008 column in the Winnipeg Free Press discusses the privacy implications resulting from recording telephone calls, and why it is important to let your customers know if you are recording their calls to you.
My November 7, 2007 column in the Winnipeg Free Press discusses the Privacy Commissioner of Canada’s annual report and what it means to private sector businesses.
My June 7, 2006 column in the Winnipeg Free Press considers PIPEDA Case Summary #325, which sets out the rules regarding sharing customer lists of businesses being considered for sale.
My December 7, 2005 column in the Winnipeg Free Press poses potential technology and privacy questions to the candidates in the upcoming federal election.
My April 5, 2006 column in the Winnipeg Free Press reports on the implication of Canadian businesses using American companies to store Canadian personal information.
This blog provides practical assistance to Canadian businesses so they can better deal with issues related to privacy, access to information, online reputation management, intellectual property and technology legal matters. I hope you subscribe to this blog via RSS (below) or via e-mail (below) so that you can receive timely updates to new posts. Thanks, Brian
This blog is presented for informational purposes only. Content does not constitute legal advice or solicitation and does not create solicitor-client relationship. Views expressed are solely the author's and should not be attributed to any other party, including Pitblado LLP or its clients. The author makes no guarantees regarding the accuracy or adequacy of the information contained herein or linked to via this blog. The author is not able to provide free legal advice. If you are seeking advice on specific matters, please contact Brian Bowman at (204) 956.3520 or bowman@pitblado.com, but please be aware that any unsolicited information sent to the author cannot be considered to be solicitor-client privileged. Comments published on this blog do not reflect the views of Brian Bowman, Pitblado LLP or its clients.
Earlier today, Canada’s Privacy Commissioner, Jennifer Stoddart, submitted to Parliament the OPC’s Annual Report on PIPEDA for the period from January 1 to December 31, 2009. 
Posted by Brian Bowman 
A summer incident involving sensitive personal information on stolen laptops has brought the issue of data protection once again into the crosshairs of 
Call off the strike, some trade unions are protecting more than their members’ collective bargaining rights. In fact, many unions have taken a proactive approach to privacy by creating policies that attempt to comply with the benchmarks set out in the federal 
Have you heard the saying “Just when you think you understand the situation, what you don’t understand is that the situation has changed”? If you think you understand 
The 
Your business has insurance for typical business risks, but will your insurance protect you from liability arising from privacy law compliance?
The 
The 
The current global economic climate has led to a growing number of bankruptcy and insolvency proceedings, particularly in the U.S. In dealing with these proceedings, many business leaders have not paid enough attention to the role of privacy law and its impact on the bottom line.
Businesses are increasingly being asked to reduce their “carbon footprint”. And while many customers are interested in doing business with organizations that are trying to reduce their carbon footprint, many customers are also concerned about their own “
Does 
Ongoing privacy training is a vital tool to assist with privacy law compliance. In this respect, the following Canadian privacy law conferences in the coming months may be of interest to you or others in your organization:
Another day, another development in the 
The looming battle between privacy advocates and 
I recently discussed with 
In terms of privacy, as with many other things, each step forward seems to come with a catch that makes the step forward a little smaller than one would hope. 
Bell Canada
If you’re a privacy professional, you’re likely overwhelmed with the ongoing task of staying on top of legal, industry and technology developments. As you know, there’s no shortage of issues these days. Hopefully, this blog is helping your efforts!
If you’re a privacy professional you will know that 
How is your business dealing with 
The 
Do you ever wish you were 
I chaired a lively 
Privacy professionals will know first hand the importance of conducting regular staff privacy training, which can mitigate customer privacy complaints and (as a result) the overall costs of privacy compliance.
Canada, U.S. laws on privacy complex
Data “packrats” failing customers: Companies need policies on retention
Recording telephone calls could be a risky business
Businesses face challenge in winning people’s trust
Businesses must take steps to prevent I.D. theft
Time to amend the Personal Information Act
Buying or selling a business requires due diligence
New privacy law evolves rapidly, changes consumer attitudes
Identity theft, loss of privacy face people in a wired world 
Privacy requires ongoing diligence
Timely questions for those seeking to run the nation: technology, intellectual property should be on politicians’ agendas 
Privacy protection should be at top of resolutions: develop policies, procedures in a customer-friendly way
Outsourcing comes with risks; U.S. service providers bring privacy concerns 
Privacy still on Canadians radar screen: poll
