A Conversation with Jennifer Stoddart, Privacy Commissioner of Canada

January 25, 2010

I’m very pleased to be able to post the following conversation with Jennifer Stoddart

Since becoming Canada’s Privacy Commissioner in 2003, Commissioner Stoddart has undoubtedly raised the value of privacy in a time when security, trade, technology and consumer expectations have created a volatile atmosphere for our personal information. I might add that she has accomplished this admirable feat with passion and professionalism.  As a result, Canadians have been exceptionally well-served.

Of course, I’d like to thank Commissioner Stoddart for agreeing to engage in this online Q & A conversation.  If you’d like to learn more about Jennifer Stoddart, the Office of the Privacy Commissioner of Canada (the “OPC”) or the issues raised in this conversation, I’d encourage you to visit the OPC’s website and blog.

Q. How did you get involved in the world of privacy?

A. Back in the spring of 2000, I happened to read an article in the New York Times Magazine by the noted American legal scholar Jeffrey Rosen. Prof. Rosen was explaining how personal privacy was being subtly eroded in the digital age. I was fascinated.

I was working at the Quebec Human Rights Commission at the time. The next week, I was asked to head up Quebec’s Access to Information and Privacy Commission, and that’s the field I’ve been in ever since.

Q. But it’s coming to an end.

A. Sadly. My seven-year term as Privacy Commissioner will wind up this year. On the plus side, though, I can look back with considerable pride at the progress we’ve made. The encroachments on privacy in this digital era really are staggering, but that doesn’t mean we’re letting them bowl us over.

Last year’s investigation into a complaint against Facebook was surely the most high-profile example of the kind of influence we have. And beyond that I would say that we’re making a meaningful difference, in countless other ways, every day of the year.

Q. What are the most rewarding aspects of being the Privacy Commissioner of Canada?

A. Certainly one of the most rewarding things for me is to know that our work matters, that it has a real and positive impact on the lives of Canadians.

As you know, it’s become fashionable in some circles to suggest that privacy is pretty much dead in this era of digital exhibitionism. But I think that’s totally wrong. And the best evidence for that was the worldwide response to our Facebook investigation.

Privacy may look different today than it did a generation – or even a decade – ago. But it remains an incredibly important and cherished value to Canadians. And to the extent that my Office can help protect that value, and advance privacy rights, I would say that is the most rewarding aspect of my job.

Q. What do you consider to be the greatest challenges for the Office of the Privacy Commissioner of Canada?

A. Our biggest challenges are the same that preoccupy data-protection authorities around the world: How to safeguard privacy rights in the face of so many rapidly changing technologies. You yourself have blogged about many of them – cloud computing, behavioural marketing, genetic technologies, to name just a few.

We’re seeing unimaginable quantities of data flash around the world, including to countries where data-protection laws are slim to non-existent. We’re also seeing technologies employed in the service of national security and law enforcement, but they’re guarded behind a wall of secrecy.

So the challenges are real, and they are huge.

Q. So how does an Office like yours keep up?

A. I guess the short answer is: By working smarter. We have zeroed in on four priority privacy challenges that are shaping and streamlining our work for the years ahead: information technology, genetic technology, national security and the protection of identity integrity.

We are re-engineering our internal processes to better handle the complaints and inquiries that come to our Office. We’re picking and choosing our privacy audits and our communications and public outreach efforts in order to maximize our impact. We’re ramping up our issuance of guidance, on the theory that an ounce of prevention outweighs a pound of cure. And we’re working with the global data-protection community, since so many of the challenges are international in scope.

But, most important of all, we’ve recently attracted an infusion of very bright, very knowledgeable – and in many cases young – new employees to key positions in our Office. They are really making a difference.

Q. If you could make a few recommendations for Canadian business leaders, what would you say?

A. First I’d thank them for having embraced PIPEDA, the Personal Information Protection and Electronic Documents Act as it came into force over the past nine years. When I look at the situation of our neighbours to the south, where there is no single law at the federal level to protect the personal information of consumers in a commercial setting, I am deeply gratified by the way things can work up here.

Beyond that, I would encourage business leaders to continue to consult the guidelines we issue on specific topics for the purpose of clarifying the responsibilities of organizations under PIPEDA. And we invite them to work with us to fill any other information gaps they may have encountered.

I also want to take this opportunity to mention that data breach notification will become mandatory – and I suspect that will happen sooner rather than later. So I would encourage business leaders to start giving some thought now to how they can bring their processes into compliance. 

Q. Do you have any “privacy-related” predictions for 2010?

A. I don’t think you need a crystal ball to conclude that national security will continue to dominate the privacy landscape in the year ahead. The controversy that erupted over Transport Canada’s deployment of millimetre-wave scanners at Canadian airports was just the first of the privacy-related issues that we can expect to be hearing about in 2010.

And stay tuned for more during and after the Vancouver Olympics. There, one of the big issues will revolve around the pervasive crowd surveillance measures, and what will happen with all the cameras and recordings after the flame is extinguished.

I’ll just mention two other issues of particular interest to our Office, because we will be consulting Canadians on them in the next few months. The first will focus on the tracking, profiling and targeting of consumers by marketers and other businesses, and we’ll be hosting consultation forums on that topic in Toronto in April and Montreal in May. Soon after, we’ll organize another forum to discuss the privacy implications of cloud computing.

10 Comments | Airport Security, Government, Personal Information, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, Privacy Commissioner of Canada, Security | Tagged: , , , , , , , | Permalink
Posted by Brian Bowman

Mandatory privacy breach notification requirement inevitable

December 15, 2009

For years now, Ontario’s Personal Health Information Protection Act has contained provisions requiring health custodians to notify individuals if their personal health information is stolen, lost or accessed by unauthorized persons.  Until now, such mandatory privacy breach notification provisions have been limited to the sphere of health care in Ontario. That’s about to change.

The federal Personal Information Protection and Electronic Documents Act will likely contain mandatory privacy breach notification provisions in the near future. Since 2006, Special Committees at both the Federal and Provincial (Alberta and B.C.) levels have convened and generated a series of recommendations relating to breach notification.  For further information on these recommendations, see the final reports of the Federal , Alberta and B.C. committees.

The most important recommendation independently generated by each of the committees provides that organizations should be under a statutory breach notification duty.  On October 27, 2009, the initial step toward implementing this recommendation was taken in the Alberta Legislature with the first reading of Bill 54: Personal Information Protection Amendment Act, 2009.  The Alberta privacy breach notification provisions will soon come into force. British Columbia and the Feds are expected to follow suit and implement similar requirements in the near future. When that occurs, private sector organizations across Canada will be required by applicable law to notify affected individuals when privacy breaches occur.

The best advice is to make sure that privacy protection policies, procedures and training are implemented and enforced… now.

Leave a Comment » | Personal Information, PHIA, PIPEDA, Privacy, Privacy Breach | Tagged: , , , , | Permalink
Posted by Brian Bowman

Manitoba private sector privacy legislation: An insurmountable goal?

December 11, 2009

University of Manitoba law student, Courtney Pope, has just drafted an in-depth paper (below) on Bill 219The Personal Information Protection and Identity Theft Protection Act. As I’ve previously posted here, Bill 219 seeks to regulate the management of personal information by organizations in the Manitoba private sector and is intended to be “substantially similar” to the federal Personal Information Protection and Electronic Documents Act (PIPEDA). 

Courtney’s paper, entitled “Bill 219: An Insurmountable Goal”, argues that the law is necessary in order to “effectively protect the privacy rights of all Manitobans”.  The paper outlines the main features of the Bill; examines the role of PIPEDA and the concept of “substantially similar” legislation; and analyzes the main arguments advanced for and against the Bill, as expressed in Hansard and in the context of the Bill’s legislative history. Courtney also advances theories regarding the major impediments to its passing.

Courtney was a summer student at Pitblado LLP this past summer and will (fortunately for us) be returning in the New Year to complete her Articles.  Thanks to Courtney for sharing her paper, which you can read by clicking on the hyperlink below.

Bill 219: An Insurmountable Goal

Leave a Comment » | Bill 219, Personal Information, PIPEDA, Privacy | Tagged: , , , , | Permalink
Posted by Brian Bowman

Rogue employees pose risk to privacy compliance, corporate info

November 18, 2009

The U.K.’s Huffington Post is reporting that a rogue employee of a major mobile phone company has illegally sold millions of customer records to rival companies.  Apparently, customers’ personal information (including contract expiry dates) was sold to several rivals, which then used the material to cold-call customers to offer them an alternative deal.

As I’ve previously written, information really is the most valuable corporate asset. And for this reason, businesses of all sizes should take steps to protect corporate information regardless of whether it is stored online or off-line. Whether it’s customer or supplier lists, intellectual property or employees’ personal information, it’s information that needs safekeeping. 

This case should serve as a reminder that corporate safekeeping practices must include protecting data from rogue employees.

3 Comments | Data Protection, Due Diligence, Personal Information, PIPA, PIPEDA, Privacy, Privacy Breach, Safeguarding, Safekeeping, Security | Tagged: , , , , , , , , , , | Permalink
Posted by Brian Bowman

Are the media subject to PIPEDA?

September 16, 2009

Broadcasting

Is there one set of privacy rules for regular businesses and one for the media? In a past case summary, the Office of the Privacy Commissioner of Canada (the “OPC”) found that a radio station which had broadcast the name and comments of a caller who had phoned the radio station’s news tips line to relay specific details of a robbery was not a violation of the Personal Information Protection and Electronic Documents Act (PIPEDA). Why wasn’t this a violation?

PIPEDA contains provisions aimed at protecting the media’s right to “freedom of expression”, which is a pretty fundamental right worth protecting in a free and democratic society.  Specifically, PIPEDA’s privacy obligations don’t apply to “any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose”.  When the collection of personal information is solely for journalistic purposes, journalists aren’t required to obtain the consent of individuals about whom the information relates. The result is that if a journalist’s activities are truly “journalistic” then they can proceed with the collection and broadcast of personal information without seeking permission from individuals.  Of course, it’s still a good idea to obtain consent in most circumstances despite the exemption.   

When the media collects, uses or discloses personal information for reasons that are not journalistic, serious issues arise as they would for any regular business. In the finding noted above, the OPC determined that the personal information collected by the radio station was intended soley for journalistic purposes. That’s why the OPC was of the view that there had not been any violation of PIPEDA. Any illusion that the media are not bound by PIPEDA is wrong.  But there are appropriate exemptions in the law that help them to conduct their important work.

Leave a Comment » | Media, Personal Information, PIPEDA, Privacy, Privacy Commissioner, Security | Tagged: , , , , , | Permalink
Posted by Brian Bowman

Laptop Encryption: “I don’t know what we have to do to drive this message home” says Commissioner

September 10, 2009

Laptop 11A summer incident involving sensitive personal information on stolen laptops has brought the issue of data protection once again into the crosshairs of Frank Work, the Alberta Information and Privacy Commissioner

In a press release, the Commissioner expressed shock and disappointment with the fact that the stolen laptops, which contained the personal health information of more 300,000 individuals, were not encrypted. “This is shocking for me…I don’t know what we have to do to drive this message home” said the Commissioner. “The standard in Alberta for storing personal or health information on portable devices is encryption. I can’t accept anything less.” The Alberta incident is strikingly similar to an incident that occurred in Ontario back in 2007.  The Ontario incident also involved the theft of a non-encrypted laptop containing personal health information.  A review of the incident by Ann Cavoukian, Ontario’s Information and Privacy Commissioner, produced an order for information of this type to be encrypted. 

These incidents demonstrate how easily sensitive data can be compromised when stored on laptops.  Encryption is a relatively easy way to improve the security of such information.  But, where do you start? There are numerous encryption options available.  Choices range from free open source encryption software like TrueCrypt to full information security consultations from companies that offer comprehensive data protection services like Seccuris. Regardless of which course you choose, one fact remains the same, encrypting laptops significantly improves security and that’s just smart business.

Leave a Comment » | Access to Information, Data Encryption, Data Protection, Laptops, Mobile devices, Personal Information, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, PSDs, Safeguarding, Safekeeping, Security, Security Breach, Smartphones, Technology | Tagged: , , , , , , , , , , , , , , | Permalink
Posted by Brian Bowman

“Crossing the picket lines” to privacy

September 8, 2009

On StrikeCall off the strike, some trade unions are protecting more than their members’ collective bargaining rights. In fact, many unions have taken a proactive approach to privacy by creating policies that attempt to comply with the benchmarks set out in the federal Personal Information Protection and Electronic Documents Act (“PIPEDA). However, there hasn’t yet been a case summary or court action under PIPEDA that definitively determines whether a union that collects personal information in their general capacity is obligated to observe the rules outlined in the legislation. As a result, some unions are complying with PIPEDA’s obligations to protect their members’ privacy and, regrettably, some unions are not.

The application of PIPEDA is dependent on the existence of a “commercial activity.” Although this term is vague, the case is strong that most union activities are, in fact, captured by PIPEDA. What is certain is the application of Alberta’s privacy legislation, the Personal Information Protection Act (“Alberta’s PIPA”), to the management of personal information by unions. The application of Alberta’s PIPA is not dependent on the existence of a “commercial activity”. As a result, a 2006 Investigation Report from the Alberta Information and Privacy Commissioner found that the collection of personal information by unions in their general capacity subjects them to the requirements found in Alberta’s PIPA. Manitoba’s Bill 219, The Personal Information Protection and Identity Theft Protection Act (the “Manitoba Bill”) is modeled after Alberta’s PIPA. Similar to Alberta’s PIPA, the application of the Manitoba Bill does not depend on whether an organization is engaged in a “commercial activity.”

As I’ve argued in previous posts, the Manitoba Government should support the Manitoba Bill (which was introduced as a private member’s bill by opposition member, Mavis Taillieu). The Manitoba Bill creates a level of certainty with regards to the privacy rights of union members. That’s one of the many reasons why the Manitoba government should ”cross the picket lines” to privacy and support the Manitoba Bill in this fall session of the Manitoba Legislature.

Leave a Comment » | Government, Personal Information, PIPA, PIPEDA, Privacy | Tagged: , , , , , , , | Permalink
Posted by Brian Bowman

Changes to PIPEDA may be coming soon

August 10, 2009

coming-soonHave you heard the saying “Just when you think you understand the situation, what you don’t understand is that the situation has changed”? If you think you understand The Personal Information Protection and Electronic Documents Act (“PIPEDA”), get ready… changes may be just around the corner. 

PIPEDA was introduced back in 2001. It requires the Canadian Government to review the law every five years.  To this end, the House of Commons Standing Committee on Access to Information, Privacy and Ethics (the “House of Commons Committee”) conducted its review and held public hearings from November 2006 to February 2007, where it heard from over 60 witnesses and considered over 30 submissions from a wide range of interested organizations and individuals. I had the pleasure of appearing before the House of Commons Committee to present the Canadian Bar Association’s National Privacy & Access Law Section’s submission, which you can read here. The House of Commons Committee issued its report to Parliament in May 2007 (which outlined 25 recommended changes to the law), to which the Canadian Government subsequently issued its response in October 2007. As part of the Canadian Government’s response, further public consultation on key issues was requested.  A link to the Office of the Privacy Commissioner’s reply to this request can be read here and the Canadian Bar Association’s response can be read here.

Changes to PIPEDA may include:

  • a mandatory breach notification regime that would require organizations to promptly notify affected individuals and to report major data breaches to the Privacy Commissioner of Canada; 
  • amendments to account for the unique circumstances regarding consent in employer/employee relationships; and
  • modifications to allow organizations to collect, use and disclose personal information as necessary for the conduct of business transactions, such as mergers and acquisitions.

The Industry Canada website targets 2009/10 for the implementation of changes resulting from this first PIPEDA review.  Yet, there is no definitive time frame, so stay tuned. Changes may be just around the corner.

1 Comment | Government, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, Security Breach | Tagged: , , , , , , , , , , | Permalink
Posted by Brian Bowman

Is your business engaging in “cloud computing”? Probably.

July 27, 2009

Clouds 5 revised

Have you heard the term “cloud computing“, but aren’t really clear what it means?

Cloud computing is an umbrella term that refers to the use of Internet-hosted computer services. Think of your server — instead of having one in-house server located on company premises, an organization might opt to buy space on a third-party provider’s server. Other options include software hosting and data storage. By purchasing computing services from a variety of Internet-based providers, your computer needs are housed within a larger “cloud” of computer services.

Some organizations are opting for ”Software as a service” (SaaS), and allowing their data to reside on other company’s servers, or “the cloud“. Users only have to buy the space they need, which allows organizations to save money on their technology costs. Other benefits include access to people with technological know-how, flexibility and reduced maintenance costs.

Cloud computing is not new, but is now embedded into the fabric of modern business operations.  In fact, the Los Angeles Times has reported that the city of Los Angeles is considering using Google applications for all of its software needs. 

Privacy issues related to cloud computing, however, are profound. For example, many of the security questions that relate to traditional third-party data hosting were raised when a hacker broke into a Twitter employee’s work e-mail account and stole confidential company documents. The World Privacy Forum, meanwhile, has released a 28-page report on some of the privacy issues that relate to cloud computing. The report concludes that sharing information may expose some business users to liability, and emphasizes the importance of checking a cloud provider’s terms of service, privacy policy, and location.

Canadian businesses that engage in cloud computing should be reminded that they must do so in compliance with applicable privacy laws. For example, the Personal Information and Protection of Electronic Documents Act obliges organizations that transfer personal information to third parties to ensure appropriate security safeguards are in place.

They should also be mindful of the raging debate about the perils of cloud computing that has been underway now for some time. While cloud computing has the potential to provide benefits, organizations should ask themselves whether it is worth the risks it poses. You might save money in the short run, but is it worth the potential of a massive privacy breach? 

2 Comments | Internet, PIPEDA, Privacy, Technology | Tagged: , , , , , , , , , | Permalink
Posted by Brian Bowman

Facebook criticized by Canada’s Privacy Commissioner: Canadian businesses can learn from high profile investigation

July 16, 2009

Academics - teachingThe Office of the Privacy Commissioner of Canada (the “OPC”) has just released an in-depth investigation report into a wide-ranging PIPEDA complaint by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) about the privacy practices of Facebook.  There is extensive domestic and international media coverage on this today including a story just posted by New York based Bloomberg News, which includes commentary by yours truly. 

While the OPC’s Facebook investigation should be a “must read” for all Facebook users, it also provides some insightful information for Canadian organizations regulated by PIPEDA. The lessons that can be learned from the investigation can be applied by Canadian businesses regardless of whether their activities are online or offline. 

Despite the fact that “[i]t’s clear that privacy issues are top of mind for Facebook…” federal Privacy Commissioner Jennifer Stoddart says that the OPC has found “serious privacy gaps in the way the site operates”. According to Stoddart, in order to comply with Canadian privacy law, Facebook must take greater responsibility for the personal information in its care.  An overarching concern of the OPC was that, although Facebook provides information about its privacy practices, it is often confusing or incomplete. For example, the “account settings” page describes how to deactivate accounts, but not how to delete them, which actually removes personal data from Facebook’s servers. The OPC recommends more transparency, to ensure that the social networking site’s nearly 12 million Canadian users have the information they need to make meaningful decisions about how widely they share personal information.

The investigation also raised significant concerns around the sharing of users’ personal information with third-party developers creating Facebook applications such as games and quizzes. (There are more than 950,000 developers in some 180 countries.) Facebook lacks adequate safeguards to effectively restrict these outside developers from accessing profile information, the investigation found. The report recommended a number of changes, including technological measures to ensure that developers can only access the user information actually required to run a specific application, and also to prevent the disclosure of personal information of any of the user’s friends who are not themselves signing up for an application.

The investigation also found that Facebook has a policy of indefinitely keeping the personal information of people who have deactivated their accounts, which is a violation of PIPEDA. The law requires organizations to retain personal information only for as long as is necessary to meet appropriate purposes. Recommendations to Facebook included the adoption of a retention policy whereby personal information in deactivated accounts is deleted after a reasonable length of time.

Click here to read the OPC’s News Release, here for the full investigation report and here to read a helpful backgrounder.  If you’d like to read more about Facebook, please click on the Facebook link under this blog’s Tags (below).

Leave a Comment » | Access to Information, Facebook, Internet, Online Reputation Management, PIPEDA, Privacy, Safekeeping, Security, Social Networking Websites | Tagged: , , , , , , , , , | Permalink
Posted by Brian Bowman

« Previous Entries
Next Entries »
Follow

Get every new post delivered to your Inbox.

Join 77 other followers