Canada’s Privacy Commissioner has just released the final report of her Office’s consultations on the online tracking, profiling and targeting of consumers by marketers and other businesses. “Most people have no idea about the rich trail of data they leave behind when they browse the Internet, use social networking sites, or engage the geo-location functions of their mobile devices,” the Commissioner observed. Organizations that track the online activities of Canadians must be more upfront about their practices, Privacy Commissioner Jennifer Stoddart has concluded… “it comes down to meaningful consent, which entails informed consent”.
Privacy Commissioner releases report on online tracking, profiling and targeting, and cloud computing
May 6, 2011
Leave a Comment » | 
Privacy, Technology, Marketing, Social Networking Websites, Facebook, Device Fingerprinting, Monitoring, Privacy Commissioner of Canada | Tagged: Privacy, Privacy Commissioner, Internet, Facebook, Social Networking, Cloud Computing | 
Permalink
Posted by Brian Bowman
Fines needed to help stem growing data breaches, Privacy Commissioner says
May 4, 2011
The Privacy Commissioner of Canada has called for legislation empowering her to impose substantial fines against major corporations that fail to adequately protect Canadians’ personal information from preventable breaches.
“I am deeply troubled by the large number of major breaches we are seeing, including serious incidents in recent weeks that have affected hundreds of thousands of Canadians,’’ Jennifer Stoddart said in a speech today at the Canada 3.0 forum in Stratford, Ont. “It seems to me that it’s time to begin imposing fines – significant, attention-getting fines – on companies when poor privacy and security practices lead to breaches.” To learn more, read the complete news release.
Leave a Comment » | Privacy, Privacy Breach, Data Protection, Privacy Commissioner of Canada, Legislation Update | Tagged: PIPEDA, Privacy, Privacy Commissioner, Privacy Breach | Permalink
Posted by Brian Bowman
Canada’s Privacy Commissioner releases latest Privacy Perspectives e-newsletter
March 16, 2011
Canada’s Privacy Commissioner has just released her latest e-newletter, Privacy Perspectives. Today’s installment includes:
Leave a Comment » | Privacy, Privacy Commissioner of Canada, Youth | Tagged: Privacy Commissioner | Permalink
Posted by Brian Bowman
B.C.’s Privacy Commissioner releases Privacy Guidelines for Landlords and Tenants
October 22, 2010
B.C.’s Privacy Commissioner, Elizabeth Denham, has just released Privacy Guidelines for Landlords and Tenants.
In B.C., landlords and property managers acting on their behalf must comply with B.C.’s Personal Information Protection Act (“B.C.’s PIPA”). The guidelines are intended to assist landlords and property managers in discharging their duties under B.C.’s Residential Tenancy Act in a manner that respects the privacy of tenants and promotes transparency in the operation of landlord and tenant relationships.
Despite the B.C. focus, landlords and property managers in other jurisdictions would be well-served by reading the guidelines – especially given that B.C.’s PIPA is “substantially similar” to PIPEDA.
Leave a Comment » | PIPA, Privacy, Privacy Commissioner | Tagged: Due Diligence, Privacy, Privacy Commissioner, Privacy Compliance | Permalink
Posted by Brian Bowman
A Conversation with Elizabeth Denham, British Columbia’s Information and Privacy Commissioner
October 12, 2010
Continuing a series of blog posts that I’m calling “A Conversation with…”, I’m delighted to post the following conversation with British Columbia’s new Information and Privacy Commissioner, Elizabeth Denham.
Canada’s privacy community will know that Commissioner Denham brings to her new role a wealth of experience and accomplishment. Her resume includes Assistant Privacy Commissioner of Canada and Director, Private Sector, for the Office of the Information and Privacy Commissioner of Alberta. I’ve had the pleasure of knowing Commissioner Denham for some time and have always appreciated her practicality and great sense of humour. B.C. will undoubtedly be well-served.
Of course, I’d like to thank Commissioner Denham for agreeing to engage in this online conversation. If you’d like to learn more about Elizabeth Denhem or B.C.’s Information and Privacy Commissioner’s Office (“OIPC”), I’d encourage you to visit the OIPC’s website (www.oipc.bc.ca).
Q – You served as Assistant Privacy Commissioner of Canada until being appointed BC’s Information and Privacy Commissioner in July 2010. How are things going in your new role?
A – It is a good thing that I am a recreational runner, because I have certainly hit the ground running! This is an extremely busy office, due to the scope and nature of the work and to the fact that I have inherited one of the leanest oversight agencies in the country. I am very lucky to have a team of hardworking, enthusiastic and seasoned professionals to support me.
While I do have “in the trenches” FOI experience, that was more than 10 years ago, forcing a quick re-immersion into the duties of ensuring accountable and transparent government. Since my appointment I have issued a report on the timeliness of government responses to access requests, worked on a strategy for government-wide proactive disclosure and executed our annual tribute to open government, Right to Know Week.
However, in my view the biggest challenge facing me in this term is public sector privacy issues. The government has ambitious plans for data sharing across ministries, to create linked electronic databases. It is my immediate priority to ensure that privacy is baked into BC’s e-government programs, including e-health.
Q – I’ve long considered BC one of the most progressive privacy jurisdictions in Canada. How has this happened and what can other provinces/territories learn from BC’s privacy community?
A – I think there are a number of factors that has put BC out in front with respect to privacy. My two predecessors, David Flaherty and David Loukidelis, are without a doubt two of the top privacy experts, and their ability to break trail has benefited all of BC. The former Commissioners were very skilled at making privacy a common topic of discussion and spreading the word about privacy rights and obligations. BC also has active and engaged civil society pushing hard for access and privacy rights, and I am referring to the BC Freedom of Information and Privacy Association as well as the BC Civil Liberties Association as key thought leaders. Finally, the citizens of BC have a reputation for being politically aware and engaged, and unafraid to bring burning issues to the forefront. I think the key learning outcome for other jurisdictions is work hard at capacity building and public outreach, and encourage other groups to actively enter the policy debates around access and privacy. We need other voices. Regulators cannot do it alone.
Q – Given that BC has a provincial privacy law (PIPA) that is “substantially similar” to PIPEDA, and considering that many readers of this blog are from outside BC (and Canada), can you briefly highlight the most important things that businesses should know about BC’s private sector regime?
I think the three most important points are these:
First, make sure you have a legitimate operational need to collect any personal information. This requires ongoing monitoring to ensure the operational requirement still exists, and routinely and safely purging personal information no longer required. Personal information is both an asset and a liability, and collecting and retaining personal information when no reason exists is a huge business risk.
Second, be transparent about what you are doing with the personal information you collect in the course of your operations, and ensure that anyone that you hire on your behalf behaves in the same manner.
Finally, data safeguards, or rather the lack thereof, remain the primary source of privacy breaches and a threat to your business brand. Safeguards are much more than passwords and locked cabinets—they include proper and ongoing staff training, privacy audits and assessing the privacy impacts of new policies, programs or services. Safeguarding personal information requires ongoing attention, and a willingness and ability to adjust the safeguard strategy when needed.
Q – Your work in the area of social networking as been outstanding, which in the case of Facebook resulted in a number of changes to the social networking site—changes that were implemented on a global basis. Some readers may presume that a privacy commissioner such as you wouldn’t use social networking sites. In my case, I’m active on LinkedIn. How about you?
A – I have several accounts with social networks, including Facebook and LinkedIn. I first joined the networks because I wanted to deeply understand the services, and their functionality; this was critical to my work. But Facebook also helps me keep track of my far-flung 20-something children who live their lives on-line! But I am a savvy consumer of these services, and obviously avail myself to all of the privacy controls they offer. I do not post anything on either of those sites that is not already publicly available or any information that I would not hesitate to make public. I am very careful before downloading any third party application—carefully scrutinizing their privacy policies beforehand.
Q - In your view, what kind of privacy developments should we watch for in the coming year in British Columbia?
A – On the government side, I think the primary issues will be an increase in the development of linked data networks containing personal information bringing risks to transparency, appropriate access, use and disclosure and a heightened risk of transmission of inaccurate and incomplete information.
On the private sector side, I know we will see more collaboration and cooperative oversight between the federal and provincial commissioners. New technologies and business models challenge the ability of any office to “go it alone”. Canada is a leading voice on privacy and new technologies. I look forward to working with my colleagues on smart, relevant and timely oversight.
1 Comment | Facebook, Internet, Personal Information, PIPA, Privacy, Privacy Commissioner, Social Networking Websites | Tagged: Facebook, Internet, Privacy, Privacy Commissioner, Social Networking | Permalink
Posted by Brian Bowman
Lessons from the Veteran Affairs Canada privacy breach
October 8, 2010
The recent headlines over the Veteran Affairs Canada privacy breach should serve as a useful reminder to all organizations – public and private sector – of the necessity to implement internal policies and procedures for the management of personal information. Much attention is paid these days by the media to privacy breaches that involve external parties, such as hackers, who foil the security safeguards of organizations. However, in my experience the bigger threat to privacy if often from within an organization.
In this recent case involving Veteran Affairs, a veteran had filed a complaint with the Office of the Privacy Commissioner of Canada (“OPC”) alleging that Veterans Affairs had violated the Privacy Act by including excessively detailed and sensitive medical information in briefing notes to the Minister of Veterans Affairs. The complainant also alleged that Veteran Affairs had transferred his medical file to a hospital administered by Veterans Affairs without his consent.
The OPC has issued the following formal recommendations to Veterans Affairs, but they should also serve as useful recommendations to other organizations:
- “Take immediate steps to develop an enhanced privacy policy framework with adequate protections and controls to regulate access to personal information within the department.
- Revise existing information-management practices and policies to ensure that personal information is shared within the department on a need-to-know basis only. Personal information, including but not limited to sensitive medical information, should not be shared with programs that have no operational requirements for access to such information.
- Provide training for employees about appropriate personal information-handling practices.
- Review procedures to ensure that consent is obtained prior to personal information being transferred to veterans’ hospitals.”
Leave a Comment » | Privacy, Access to Information, Privacy Breach, Security Breach, Safekeeping, Government, Safeguarding, Due Diligence, Training, Data Protection, Privacy Commissioner of Canada | Tagged: Access to Information, Due Diligence, Personal Information, Privacy Commissioner, Privacy Compliance, Safeguarding | Permalink
Posted by Brian Bowman
Privacy Commissioner of Canada releases Annual Report on Privacy Act
October 5, 2010
Canada’s Privacy Commissioner, Jennifer Stoddart, released her 2009 – 2010 Annual Report to Parliament on the Privacy Act today. In her Annual Report, Stoddart says that “[t]he federal government’s use of handheld communications devices and its practices for disposing of unneeded paper documents and surplus computers could expose the personal information of Canadians to unauthorized disclosure”.
Key lessons for the private sector from today’s Annual Report include, among other things, (1) a reminder of the need to assess the threats/risks inherent in wireless communications and to fill any gaps in policies and/or practices related to smart phones, Wi-Fi networks and data stored on mobile devices and (2) ensuring that policies and procedures are in place for paper shredding and the disposal of surplus computer equipment.
Read the full Annual Report here>>.
Leave a Comment » | Privacy, Government, Mobile devices, Privacy Commissioner of Canada | Tagged: Privacy Commissioner, Government | Permalink
Posted by Brian Bowman
Privacy Commissioner tables Annual Report on PIPEDA
June 8, 2010
Earlier today, Canada’s Privacy Commissioner, Jennifer Stoddart, submitted to Parliament the OPC’s Annual Report on PIPEDA for the period from January 1 to December 31, 2009.
As the Commissioner notes, “the dominant theme of [the OPC's] work in 2009 was the protection of privacy in an increasingly online, borderless world. A case in point was the investigation that resulted in more public attention than any other in [the OPC's] history: Facebook.” The Commissioner notes two key issues, namely, Data without borders and Risks remaining in the wake of mortgage broker breaches.
Leave a Comment » | PIPEDA, Privacy, Privacy Commissioner of Canada | Tagged: PIPEDA, Privacy Commissioner | Permalink
Posted by Brian Bowman
Elizabeth Denham appointed B.C.’s Information and Privacy Commissioner
May 7, 2010
Elizabeth Denham, Canada’s Assistant Privacy Commissioner with primary responsibility for the federal private sector privacy law, PIPEDA, has reportedly just been appointed B.C.’s Information and Privacy Commissioner.
Denham has served as Canada’s Assistant Privacy Commissioner since 2007. Since then, and as reported by Times Colonist, she has “spearheaded a high-profile investigation into the way Facebook handles user information, which pushed the company to revamp the way it handles and shares personal information from more than 200 million users worldwide. She launched a follow-up investigation into Facebook early this year after a complaint that the default setting of the new privacy options presented to users actually made a person’s information more readily available than before the changes.”
I’ve had the pleasure of working on matters with Elizabeth Denham. She is very practical in her approach to privacy and is an extremely personable individual. As a result, B.C. will be well-served by her as she embarks in her new role. Congratulations Commissioner Denham!
Leave a Comment » | Privacy, Privacy Commissioner | Tagged: Privacy Commissioner | Permalink
Posted by Brian Bowman
A Conversation with Gary Dickson, Q.C.
May 5, 2010
Continuing a series of blog posts that I’m calling “A Conversation with…“, I’m really pleased to post the following conversation with the Information and Privacy Commissioner of Saskatchewan, Gary Dickson, Q.C.
Gary Dickson was appointed as Saskatchewan’s first full-time Information and Privacy Commissioner back in 2003, and he was re-appointed in 2009 for a further five-year term. That’s great news because Gary Dickson has been outstanding in his role as Commissioner. On a personal note, I’ve been thrilled to watch his many successes as Commissioner. I’ve known Gary for many years. In fact, it was he who suggested that I get involved with the Canadian Bar Association at a time when some of us were trying to form what is now the CBA’s National Privacy and Access Law Section.
Thanks to Commissioner Dickson for agreeing to take part in this online Q & A conversation. CFL fans may find some humour in the last Q & A below. Go Bombers! If you’d like to learn more about Commissioner Dickson or the Office of the Saskatchewan Information and Privacy Commissioner (“IPC”), I’d encourage you to visit the IPC’s website.
Q. You were previously an Alberta MLA. In that capacity, you were involved in privacy law development as the critic for the Freedom of Information and the Protection of Privacy portfolio, and also on several important privacy law committees and panels. What’s it like to now be involved with privacy as the Information and Privacy Commissioner of Saskatchewan?
A. The experience is exciting, stimulating, and almost always challenging. I am very fortunate that our office has a committed team of excellent staff who are focused on ensuring that Saskatchewan residents enjoy the full benefit of our provincial access and privacy laws. I’m very lucky to continue to be involved with such a fascinating area but from a very different perspective than that of a lawmaker. It has been very useful to have had that experience in the development of access and privacy legislation before I assumed the new Commissioner role in Saskatchewan. I hope that I am more aware and more sympathetic to the challenges and issues that arise with any access and privacy law for front line workers. It has certainly motivated me to promote wherever possible making such laws simpler and more accessible to the people who must administer them and for those who are the ‘data subjects’. I have also enjoyed the opportunity to modestly influence the way that our access and privacy laws are viewed and understood. My experience in Saskatchewan has been that those who work in public bodies or health trustee organizations genuinely want to do the ‘right thing’ in terms of transparency and privacy protection but are often unsure on where the line is drawn and are unfamiliar with best practices that have evolved over the last 26 years in Canada. As a result, a major focus for my initial five years in Saskatchewan has been on raising awareness and creating tools to assist those workers meet their statutory responsibilities.
Q. While Alberta, Quebec, British Columbia and Ontario (for personal health information only) have provincial privacy laws that are “substantially similar” to PIPEDA, Saskatchewan does not. Is it time for that to change?
A. I have for the last six years encouraged the former provincial government and now the current government to carefully consider the advantages of adopting a PIPA type law based on the B.C. and Alberta experience. As it stands, our fundraising foundations and NGOs, including those that deal with significant amounts of sensitive, prejudicial personal information are effectively unregulated. We often hear complaints from employees working in private businesses (not federal works, undertakings, etc.) who are extremely disappointed and upset when we tell them that they do not have the same privacy protection guaranteed to all public sector employees in Saskatchewan. I must acknowledge that the federal Privacy Commissioner has recently undertaken a pilot project in Saskatchewan to raise awareness of PIPEDA but this exercise also has highlighted how big the knowledge deficit is in the small and medium sized business sector. I remain of the view that Saskatchewan individuals, businesses and charitable NGOs should all benefit from a simple private sector privacy law. This could be designed to complement and harmonize with our public sector FOIP and Local Authority FOIP Acts and our Health Information Protection Act. It would allow for a more seamless kind of privacy protection that would be simpler for those organizations and for residents. I notice that the impetus for PIPA in BC and Alberta was really business organizations such as Chambers of Commerce realizing that PIPEDA is in some respects cumbersome and deficient for the SME sector. Business organizations in Saskatchewan do not appear to have adopted that view.
Q. The Saskatchewan Gaming Corporation has been recognized as a positive privacy story. What has it done, and what role has your office had in this development?
A. This is a good example of how an Information and Privacy Commission office can perhaps achieve more through consultation than by emphasizing the enforcement role. We started out a year ago with a complaint that the Casino Box Office in Regina required anyone purchasing a ticket for a show to provide name and contact information even if purchasing the ticket with cash. When we followed up with the Saskatchewan Gaming Corporation that operates the casinos in Regina and Moose Jaw, we found no senior identified FOIP Coordinator or Privacy Officer, no appropriate policies and procedures and no comprehensive training program for staff. Instead of focusing solely on the collection of personal information by the Box Office, we spent the better part of the year working with the Corporation in fundamentally reorganizing to meet its FOIP responsibilities as a ‘government institution’. With the assistance of a Portfolio Officer from our OIPC, the Corporation made a senior Vice President the new Privacy Officer and FOIP Coordinator. Comprehensive policies were put in place and a new FOIP training program rolled out. In the casino, the Box Office now only collects personal information if the ticket purchaser volunteered that information but it is no longer mandatory. In addition, prominent signage now advises customers of the Corporation’s information collection practices. There is also new literature readily available to customers. I think that as a result of our collaboration the Corporation and its leadership now view our office as a useful resource and as an office genuinely committed to operating on the basis of cooperation and collaboration.
Q. You’ve published a best practices guide for mobile device security. It’s getting easier to collect and store personal information, but are we keeping up with our privacy responsibilities in the meantime?
A. I’m afraid that privacy risks are not always top-of-mind for organizations embarking on new IT programs, systems, etc. Although we have developed a Privacy Impact Assessment tool available on our website, there is no statutory requirement that a PIA be done by a public body or health trustee before proceeding with new technology. What is perhaps even more troubling is that we see problems with old technology. Our office brought out a FAX advisory after we found a number of health information trustees didn’t appreciate that when the modern multi-use copier machine is sold as surplus equipment it likely will contain memory of the documents it has processed and perhaps substantial amount of personal health information. Look at the number of cases that have come to Information and Privacy Commissioners across the country that involved theft of unencrypted laptops. So, the short answer is that many organizations are not keeping up with their privacy responsibilities. The education and compliance challenge continues apace.
Q. Your office opened more than double the amount of case files in 2009 than it did in 2008. Is this number going up because of inadequate privacy practices, because the public is becoming more aware of its privacy rights, or both?
A. Good question. I think the answer is some of both. I believe there is significantly higher privacy awareness with the organizations that my office oversees and also greater public awareness. The difficult question is how accurately we can assess what is going with all approximate 3000 organizations that we oversee given that we are largely in a reactive role. In any given year if we are dealing with 200 organizations are these just the few ‘bad apples’ or is this indicative of widespread non-compliance. We simply don’t have the resources to be able to accurately assess and catalogue privacy compliance province wide. At the end of the day however, whatever the reason for the large increase in case files there is an indication that a lot more work is yet to be done to move to a more pervasive privacy protective culture.
Q. Looking forward, what kind of privacy developments should we watch for in 2010?
A. One of the interesting ‘growth’ areas will be the electronic health record. Our office just issued our first Investigation Report (H2010-001) dealing with our electronic health record now in development. This involved a pharmacist who entered the Pharmaceutical Information Program database on nine different occasions to view medication profiles for three individuals who were not patients/customers of that pharmacist of the pharmacy he worked for. We identified a number of problems in terms of HIPA compliance with the pharmacy, the regional health authority and the Ministry of Health. We also issued more than 20 recommendations for remedial action. Since the electronic health record is still some distance from completion, I anticipate that there may be more of this type of complaints touching on some element or another of the E.H.R. In fact, at the end of my Investigation Report, I included a Postscript which incorporated a number of broader considerations that this particular case highlighted.
We will be carefully monitoring changes to our health information regulations that enable regional health authorities to disclose certain personal health information of patients to hospital foundations without prior consent of those patients.
Finally, we are witnessing a number of new information and data-sharing initiatives with Executive Government and we expect to be busy considering these initiatives in the next few years.
Q. And, finally, how many points do you think the Winnipeg Blue Bombers will beat the Saskatchewan Roughriders this year in the Labour Day Classic game?
A. I love the fact that all of those Bomber fans come to Regina and generously spend their dollars in our hotels and restaurants and I always feel badly for their long drive back to Winnipeg. Sorry Brian but I don’t see that the return trip to Winnipeg is likely to be any more joyous in 2010!!
1 Comment | Mobile devices, Personal Information, PIPA, Privacy, Privacy Commissioner, Saskatchewan Gaming Corporation, Security | Tagged: Mobile devices, Personal Information, PIPA, PIPEDA, Privacy, Privacy Commissioner, Saskatchewan Gaming Corporation, Security | Permalink
Posted by Brian Bowman
