Privacy Commissioner’s Annual Report, online reputation & cyber-bullying discussed with CJOB (Audio)

June 6, 2013

I spoke with CJOB|680’s Richard Cloutier this morning regarding the Annual Report released today by the Privacy Commissioner of Canada, which focuses on online reputation and business accountability in the digital age. Please listen to the 2 part interview part 1 and part 2 in which we discuss (among other things) what folks like yours truly are doing to help families to combat cyber-bullying.


Dealing with privacy complaints (video)

May 23, 2012

Has your organization received a privacy complaint from one of your customers or employees?  Privacy complaints are occurring more frequently these days because of new privacy laws and increasing privacy compliance expectations from customers and employees.  In this brief video, I chat about how your organization can best respond to privacy complaints. Hope it helps.


Privacy Commissioner releases report on online tracking, profiling and targeting, and cloud computing

May 6, 2011

Canada’s Privacy Commissioner has just released the final report of her Office’s consultations on the online tracking, profiling and targeting of consumers by marketers and other businesses. “Most people have no idea about the rich trail of data they leave behind when they browse the Internet, use social networking sites, or engage the geo-location functions of their mobile devices,” the Commissioner observed.  Organizations that track the online activities of Canadians must be more upfront about their practices, Privacy Commissioner Jennifer Stoddart has concluded… “it comes down to meaningful consent, which entails informed consent”.


Fines needed to help stem growing data breaches, Privacy Commissioner says

May 4, 2011

The Privacy Commissioner of Canada has called for legislation empowering her to impose substantial fines against major corporations that fail to adequately protect Canadians’ personal information from preventable breaches.

“I am deeply troubled by the large number of major breaches we are seeing, including serious incidents in recent weeks that have affected hundreds of thousands of Canadians,’’ Jennifer Stoddart said in a speech today at the Canada 3.0 forum in Stratford, Ont. “It seems to me that it’s time to begin imposing fines – significant, attention-getting fines – on companies when poor privacy and security practices lead to breaches.” To learn more, read the complete news release.


Canada’s Privacy Commissioner releases latest Privacy Perspectives e-newsletter

March 16, 2011

Canada’s Privacy Commissioner has just released her latest e-newletter, Privacy Perspectives. Today’s installment includes:

  • Raising awareness about youth privacy
  • Does Canada have the privacy legislation it needs?
  • New guidance document on biometrics and privacy
  • OPC news 

B.C.’s Privacy Commissioner releases Privacy Guidelines for Landlords and Tenants

October 22, 2010

B.C.’s Privacy Commissioner, Elizabeth Denham, has just released Privacy Guidelines for Landlords and Tenants.

In B.C., landlords and property managers acting on their behalf must comply with B.C.’s Personal Information Protection Act (“B.C.’s PIPA”). The guidelines are intended to assist landlords and property managers in discharging their duties under B.C.’s Residential Tenancy Act in a manner that respects the privacy of tenants and promotes transparency in the operation of landlord and tenant relationships.

Despite the B.C. focus, landlords and property managers in other jurisdictions would be well-served by reading the guidelines – especially given that B.C.’s PIPA is “substantially similar” to PIPEDA.


A Conversation with Elizabeth Denham, British Columbia’s Information and Privacy Commissioner

October 12, 2010

Continuing a series of blog posts that I’m calling “A Conversation with…”, I’m delighted to post the following conversation with British Columbia’s new Information and Privacy Commissioner, Elizabeth Denham

Canada’s privacy community will know that Commissioner Denham brings to her new role a wealth of experience and accomplishment. Her resume includes Assistant Privacy Commissioner of Canada and Director, Private Sector, for the Office of the Information and Privacy Commissioner of Alberta. I’ve had the pleasure of knowing Commissioner Denham for some time and have always appreciated her practicality and great sense of humour. B.C. will undoubtedly be well-served.

Of course, I’d like to thank Commissioner Denham for agreeing to engage in this online conversation.  If you’d like to learn more about Elizabeth Denhem or B.C.’s Information and Privacy Commissioner’s Office (“OIPC”), I’d encourage you to visit the OIPC’s website (www.oipc.bc.ca).

Q – You served as Assistant Privacy Commissioner of Canada until being appointed BC’s Information and Privacy Commissioner in July 2010. How are things going in your new role?

A – It is a good thing that I am a recreational runner, because I have certainly hit the ground running! This is an extremely busy office, due to the scope and nature of the work and to the fact that I have inherited one of the leanest oversight agencies in the country. I am very lucky to have a team of hardworking, enthusiastic and seasoned professionals to support me.

While I do have “in the trenches” FOI experience, that was more than 10 years ago, forcing a quick re-immersion into the duties of ensuring accountable and transparent government. Since my appointment I have issued a report on the timeliness of government responses to access requests, worked on a strategy for government-wide proactive disclosure and executed our annual tribute to open government, Right to Know Week.

However, in my view the biggest challenge facing me in this term is public sector privacy issues. The government has ambitious plans for data sharing across ministries, to create linked electronic databases. It is my immediate priority to ensure that privacy is baked into BC’s e-government programs, including e-health.

Q – I’ve long considered BC one of the most progressive privacy jurisdictions in Canada. How has this happened and what can other provinces/territories learn from BC’s privacy community?

A – I think there are a number of factors that has put BC out in front with respect to privacy. My two predecessors, David Flaherty and David Loukidelis, are without a doubt two of the top privacy experts, and their ability to break trail has benefited all of BC. The former Commissioners were very skilled at making privacy a common topic of discussion and spreading the word about privacy rights and obligations. BC also has active and engaged civil society pushing hard for access and privacy rights, and I am referring to the BC Freedom of Information and Privacy Association as well as the BC Civil Liberties Association as key thought leaders. Finally, the citizens of BC have a reputation for being politically aware and engaged, and unafraid to bring burning issues to the forefront. I think the key learning outcome for other jurisdictions is work hard at capacity building and public outreach, and encourage other groups to actively enter the policy debates around access and privacy. We need other voices. Regulators cannot do it alone.

Q – Given that BC has a provincial privacy law (PIPA) that is “substantially similar” to PIPEDA, and considering that many readers of this blog are from outside BC (and Canada), can you briefly highlight the most important things that businesses should know about BC’s private sector regime?

I think the three most important points are these:

First, make sure you have a legitimate operational need to collect any personal information. This requires ongoing monitoring to ensure the operational requirement still exists, and routinely and safely purging personal information no longer required. Personal information is both an asset and a liability, and collecting and retaining personal information when no reason exists is a huge business risk.

Second, be transparent about what you are doing with the personal information you collect in the course of your operations, and ensure that anyone that you hire on your behalf behaves in the same manner.

Finally, data safeguards, or rather the lack thereof, remain the primary source of privacy breaches and a threat to your business brand. Safeguards are much more than passwords and locked cabinets—they include proper and ongoing staff training, privacy audits and assessing the privacy impacts of new policies, programs or services. Safeguarding personal information requires ongoing attention, and a willingness and ability to adjust the safeguard strategy when needed.

Q – Your work in the area of social networking as been outstanding, which in the case of Facebook resulted in a number of changes to the social networking site—changes that were implemented on a global basis. Some readers may presume that a privacy commissioner such as you wouldn’t use social networking sites. In my case, I’m active on LinkedIn. How about you?

A – I have several accounts with social networks, including Facebook and LinkedIn. I first joined the networks because I wanted to deeply understand the services, and their functionality; this was critical to my work. But Facebook also helps me keep track of my far-flung 20-something children who live their lives on-line! But I am a savvy consumer of these services, and obviously avail myself to all of the privacy controls they offer. I do not post anything on either of those sites that is not already publicly available or any information that I would not hesitate to make public. I am very careful before downloading any third party application—carefully scrutinizing their privacy policies beforehand.

Q - In your view, what kind of privacy developments should we watch for in the coming year in British Columbia?

A – On the government side, I think the primary issues will be an increase in the development of linked data networks containing personal information bringing risks to transparency, appropriate access, use and disclosure and a heightened risk of transmission of inaccurate and incomplete information.

On the private sector side, I know we will see more collaboration and cooperative oversight between the federal and provincial commissioners. New technologies and business models challenge the ability of any office to “go it alone”. Canada is a leading voice on privacy and new technologies. I look forward to working with my colleagues on smart, relevant and timely oversight.


Lessons from the Veteran Affairs Canada privacy breach

October 8, 2010

The recent headlines over the Veteran Affairs Canada privacy breach should serve as a useful reminder to all organizations – public and private sector – of the necessity to implement internal policies and procedures for the management of personal information. Much attention is paid these days by the media to privacy breaches that involve external parties, such as hackers, who foil the security safeguards of organizations. However, in my experience the bigger threat to privacy if often from within an organization.

In this recent case involving Veteran Affairs, a veteran had filed a complaint with the Office of the Privacy Commissioner of Canada (“OPC”) alleging that Veterans Affairs had violated the Privacy Act by including excessively detailed and sensitive medical information in briefing notes to the Minister of Veterans Affairs. The complainant also alleged that Veteran Affairs had transferred his medical file to a hospital administered by Veterans Affairs without his consent.

The OPC has issued the following formal recommendations to Veterans Affairs, but they should also serve as useful recommendations to other organizations:

  • “Take immediate steps to develop an enhanced privacy policy framework with adequate protections and controls to regulate access to personal information within the department.
  • Revise existing information-management practices and policies to ensure that personal information is shared within the department on a need-to-know basis only.  Personal information, including but not limited to sensitive medical information, should not be shared with programs that have no operational requirements for access to such information.
  • Provide training for employees about appropriate personal information-handling practices.
  • Review procedures to ensure that consent is obtained prior to personal information being transferred to veterans’ hospitals.”

Privacy Commissioner of Canada releases Annual Report on Privacy Act

October 5, 2010

Canada’s Privacy Commissioner, Jennifer Stoddart, released her 2009 – 2010 Annual Report to Parliament on the Privacy Act today. In her Annual Report, Stoddart says that “[t]he federal government’s use of handheld communications devices and its practices for disposing of unneeded paper documents and surplus computers could expose the personal information of Canadians to unauthorized disclosure”.

Key lessons for the private sector from today’s Annual Report include, among other things, (1) a reminder of the need to assess the threats/risks inherent in wireless communications and to fill any gaps in policies and/or practices related to smart phones, Wi-Fi networks and data stored on mobile devices and (2) ensuring that policies and procedures are in place for paper shredding and the disposal of surplus computer equipment.

Read the full Annual Report here>>.


Privacy Commissioner tables Annual Report on PIPEDA

June 8, 2010

Earlier today, Canada’s Privacy Commissioner, Jennifer Stoddart, submitted to Parliament the OPC’s Annual Report on PIPEDA for the period from January 1 to December 31, 2009. 

As the Commissioner notes, “the dominant theme of [the OPC's] work in 2009 was the protection of privacy in an increasingly online, borderless world. A case in point was the investigation that resulted in more public attention than any other in [the OPC's] history: Facebook.”  The Commissioner notes two key issues, namely, Data without borders and Risks remaining in the wake of mortgage broker breaches.


Follow

Get every new post delivered to your Inbox.

Join 106 other followers