Canada’s Privacy Commissioner, Jennifer Stoddart, has teamed up with nine other country’s privacy watchdogs today to warn Google and other organizations to better respect people’s privacy rights. The privacy commissioners have sent a letter to Google, accusing it of overlooking privacy values and legislation in launching new online products.
The privacy commissioners’ letter states, “we are increasingly concerned that, too often, the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications. We were disturbed by your recent rollout of the Google Buzz social networking application, which betrayed a disappointing disregard for fundamental privacy norms and laws… Unfortunately, Google Buzz is not an isolated case. Google Street View was launched in some countries without due consideration of privacy and data protection laws and cultural norms. In that instance, you addressed privacy concerns related to such matters as the retention of unblurred facial images only after the fact, and there is continued concern about the adequacy of the information you provide before the images are captured… We therefore call on you, like all organizations entrusted with people’s personal information, to incorporate fundamental privacy principles directly into the design of new online services. That means, at a minimum:
collecting and processing only the minimum amount of personal information necessary to achieve the identified purpose of the product or service;
providing clear and unambiguous information about how personal information will be used to allow users to provide informed consent;
creating privacy-protective default settings;
ensuring that privacy control settings are prominent and easy to use;
ensuring that all personal data is adequately protected, and
giving people simple procedures for deleting their accounts and honouring their requests in a timely way.”
The privacy commissioners’ demand that Google and other organizations better incorporate privacy into the design of new online services underscores the need for the “Privacy by Design” initiative that Ontario’s Information and Privacy Commissioner recently discussed in my “A Conversation with Dr. Ann Cavoukian” post. All organizations, regardless of their size (after all, we’re all not Google), would be well-advised to learn from today’s “buzz” about Google Buzz.
Commissioner Work is as personable as he is professional. I’ve had the pleasure to speak at privacy conferences with Commissioner Work and let’s just say that I’m glad I presented first! As privacy professionals will know, he’s a plain spoken, intelligent speaker and so his sessions are always a “must attend”.
Thanks to Commissioner Work for agreeing to engage in this online Q & A conversation. If you’d like to learn more about Frank Work, the Office of the Information and Privacy Commissioner of Alberta (the “Alberta OIPC”) or the issues raised in this conversation, I’d encourage you to visit the Alberta OIPC’s website.
Q. Your office has investigated identity theft arising from crystal meth abuse. What’s the link between the two?
A. A couple of years ago the Edmonton police raided a hang out for meth users. They found a lot of papers from businesses in the area, which they gave to us. Cell phone contracts, credit bureau checks, credit card information and so on. The police told me that meth users, unlike some other substance abusers, are pretty alert when they are high. They don’t sleep. They have lots of time to do the kind of detailed work necessary to engineer credit card fraud and identity theft.
Q. So what can the public do to protect itself from that kind of identity theft?
A. Individuals should shred bank and credit card statements. They shouldn’t carry certain ID, like birth certificates, on them. These kinds of foundation documents are very useful for identity theft. Always report lost or stolen credit cards, but also lost or stolen driver’s licences, birth certificates, and passports. Check your bank and credit card statements to make sure someone else isn’t using them. Do a credit bureau reference on yourself maybe once a year. If your score is lower than you think, find out why. If your score changes from one year to the next, find out why. Sometimes it can be identity theft (someone using your good name). Sometimes it can be an error on the part of the credit bureau.
The other side of the problem is organizations that have peoples’ info. They must take proper care of it. As I said, we have been given credit reports, draft mortgages, cell phone contracts, purchase of goods contracts and bookkeepers files, all thrown away. These papers all have potential for fraudulent use. Businesses need to shred this stuff. Furthermore, for businesses that have customer databases, how well secured is it? Who on their staff has access to it? We have had cases where someone in the business is taking the info and using or selling it for fraud and identity theft.
Q. Alberta’s private sector privacy legislation was recently amended to include mandatory breach notification. How will this impact privacy regulation in, and outside of, Alberta?
A. It is early days yet. Hopefully it will make organizations extra careful with personal information. Will that raise the bar for organizations in other provinces? Maybe. If you are going to change your practices here, you might as well change them everywhere. Possibly more provinces will legislate. A big piece of the picture will be when the Federal government amends PIPEDA in this regard. Maybe this will increase pressure to do so. It will be a challenge to figure out what “a real risk of significant harm” is. It will be a challenge to figure out in which cases there should be notice given and what kind of notice.
Q. You’ve worked as a lawyer in different countries around the world. How does Canada’s approach to privacy compare to your experience in other places?
A. We aren’t perfect but we are way ahead of most other jurisdictions. The “commissioner” system of enforcement has served us well because we do not have the kind of well funded civil society organizations which can advocate for privacy. Commissioners can and do advocate. I mean, I would love to have an ACLU, or and EPIC or an EFF in Canada. Our civil liberties people, like FIPA in BC do great work with the resources they have but resources are scarce. We need some rich people to endow some of these groups. The other thing is that I think, relative to other societies, Canadians have a disposition towards privacy. We get it to some extent. I like to think it is because we are, yes, polite, and respectful of other people. That makes us respect each other’s space. We must not lose that as the world becomes one big facebook/google culture. Teach your children well.
Q. Looking forward, what kind of privacy developments should we watch for in 2010?
A. Cyber attacks, hacks and other losses will continue. Governments will continue to bring surveillance technologies to bear every time anything bad happens. I will continue to get judicially reviewed. I would like to think people will start resisting surveillance and other intrusions into their lives but I don’t see it happening. Governments like surveillance. Heck, the public likes surveillance because we are just so bad at risk assessment. We are scared of everything it seems and we want someone to keep an eye on everything for us. It will be interesting to see if technology begins to fail us. For example, what if there is another airplane bombing attempt and the technology doesn’t prevent it? They bring in new technology. And that doesn’t prevent the next one (God forbid). Maybe they run out of technology, although, for the money involved I don’t see that happening. Someone will come up with a new toy. Will someone ever say “this technology isn’t doing what we want it to and it is costing us a bundle?” I think that will be a social shock.
I’m very pleased to be able to post the following conversation with Jennifer Stoddart.
Since becoming Canada’s Privacy Commissioner in 2003, Commissioner Stoddart has undoubtedly raised the value of privacy in a time when security, trade, technology and consumer expectations have created a volatile atmosphere for our personal information. I might add that she has accomplished this admirable feat with passion and professionalism. As a result, Canadians have been exceptionally well-served.
Of course, I’d like to thank Commissioner Stoddart for agreeing to engage in this online Q & A conversation. If you’d like to learn more about Jennifer Stoddart, the Office of the Privacy Commissioner of Canada (the “OPC”) or the issues raised in this conversation, I’d encourage you to visit the OPC’s website and blog.
Q. How did you get involved in the world of privacy?
A. Back in the spring of 2000, I happened to read an article in the New York TimesMagazine by the noted American legal scholar Jeffrey Rosen. Prof. Rosen was explaining how personal privacy was being subtly eroded in the digital age. I was fascinated.
A. Sadly. My seven-year term as Privacy Commissioner will wind up this year. On the plus side, though, I can look back with considerable pride at the progress we’ve made. The encroachments on privacy in this digital era really are staggering, but that doesn’t mean we’re letting them bowl us over.
Last year’s investigationinto a complaint against Facebook was surely the most high-profile example of the kind of influence we have. And beyond that I would say that we’re making a meaningful difference, in countless other ways, every day of the year.
Q. What are the most rewarding aspects of being the Privacy Commissioner of Canada?
A. Certainly one of the most rewarding things for me is to know that our work matters, that it has a real and positive impact on the lives of Canadians.
As you know, it’s become fashionable in some circles to suggest that privacy is pretty much dead in this era of digital exhibitionism. But I think that’s totally wrong. And the best evidence for that was the worldwide response to our Facebook investigation.
Privacy may look different today than it did a generation – or even a decade – ago. But it remains an incredibly important and cherished value to Canadians. And to the extent that my Office can help protect that value, and advance privacy rights, I would say that is the most rewarding aspect of my job.
Q. What do you consider to be the greatest challenges for the Office of the Privacy Commissioner of Canada?
A. Our biggest challenges are the same that preoccupy data-protection authorities around the world: How to safeguard privacy rights in the face of so many rapidly changing technologies. You yourself have blogged about many of them – cloud computing, behavioural marketing, genetic technologies, to name just a few.
We’re seeing unimaginable quantities of data flash around the world, including to countries where data-protection laws are slim to non-existent. We’re also seeing technologies employed in the service of national security and law enforcement, but they’re guarded behind a wall of secrecy.
So the challenges are real, and they are huge.
Q. So how does an Office like yours keep up?
A. I guess the short answer is: By working smarter. We have zeroed in on four priority privacy challenges that are shaping and streamlining our work for the years ahead: information technology, genetic technology, national security and the protection of identity integrity.
We are re-engineering our internal processes to better handle the complaints and inquiries that come to our Office. We’re picking and choosing our privacy audits and our communications and public outreach efforts in order to maximize our impact. We’re ramping up our issuance of guidance, on the theory that an ounce of prevention outweighs a pound of cure. And we’re working with the global data-protection community, since so many of the challenges are international in scope.
But, most important of all, we’ve recently attracted an infusion of very bright, very knowledgeable – and in many cases young – new employees to key positions in our Office. They are really making a difference.
Q. If you could make a few recommendations for Canadian business leaders, what would you say?
A. First I’d thank them for having embraced PIPEDA, the Personal Information Protection and Electronic Documents Act as it came into force over the past nine years. When I look at the situation of our neighbours to the south, where there is no single law at the federal level to protect the personal information of consumers in a commercial setting, I am deeply gratified by the way things can work up here.
Beyond that, I would encourage business leaders to continue to consult the guidelines we issue on specific topics for the purpose of clarifying the responsibilities of organizations under PIPEDA. And we invite them to work with us to fill any other information gaps they may have encountered.
I also want to take this opportunity to mention that data breach notification will become mandatory – and I suspect that will happen sooner rather than later. So I would encourage business leaders to start giving some thought now to how they can bring their processes into compliance.
Q. Do you have any “privacy-related” predictions for 2010?
A. I don’t think you need a crystal ball to conclude that national security will continue to dominate the privacy landscape in the year ahead. The controversy that erupted over Transport Canada’s deployment of millimetre-wave scanners at Canadian airports was just the first of the privacy-related issues that we can expect to be hearing about in 2010.
And stay tuned for more during and after the Vancouver Olympics. There, one of the big issues will revolve around the pervasive crowd surveillance measures, and what will happen with all the cameras and recordings after the flame is extinguished.
I’ll just mention two other issues of particular interest to our Office, because we will be consulting Canadians on them in the next few months. The first will focus on the tracking, profiling and targeting of consumers by marketers and other businesses, and we’ll be hosting consultation forums on that topic in Toronto in April and Montreal in May. Soon after, we’ll organize another forum to discuss the privacy implications of cloud computing.
According to a Cyber-Ark survey entitled “The Global Recession and its effect on Work Ethics” (link below), 58% of U.S. employees surveyed said that if they thought their job was at risk they would, as a pre-emptive move, be prepared to download company/competitive data. Fifty two per cent (52%) said that if they were fired tomorrow they’d take their employer’s customer and contacts data.
More disturbingly, 51% said it’s “easy” to take sensitive information out of their company and, as reported by Out-Law.com, 85% were aware that it’s illegal to download corporate information. The favoured medium for stealing corporate information is a USB memory stick followed by e-mail.
As I’ve mentioned in previous posts rogue employees pose a risk to privacy compliance and, as a result, corporate information requires safekeeping. In today’s economy, information is the most valuable corporate asset. For this reason, businesses of all sizes should take proactive steps to protect corporate data. Whether it’s customer or supplier lists, intellectual property or employee personal information, it’s information that needs safekeeping, especially when we see statistics like those reported above.
I’ll be hosting a 2010 Privacy Prep Webinar on Tuesday, January 12th from 12:00 – 12:30 PM (CST). (FULL) Due to high demand, new dates added: Wednesday, January 13th from 12:00 – 12:30 PM (CST) and Thursday, January 14th from 12:00 – 12:30 PM (CST).
This complimentary 30 minute webinar will provide a plain language overview of the most significant privacy issues/events of 2009 and, more importantly, prepare you and your business for 2010. Among other things, I’ll highlight notable court cases and privacy commissioner findings from 2009 as well as point out anticipated privacy issues likely to affect Canadian businesses in the coming year.
Space is limited so please RSVP early by emailing me at bowman@pitblado.com.
The U.K.’s Huffington Post is reporting that a rogue employee of a major mobile phone company has illegally sold millions of customer records to rival companies. Apparently, customers’ personal information (including contract expiry dates) was sold to several rivals, which then used the material to cold-call customers to offer them an alternative deal.
As I’ve previously written, information really is the most valuable corporate asset. And for this reason, businesses of all sizes should take steps to protect corporate information regardless of whether it is stored online or off-line. Whether it’s customer or supplier lists, intellectual property or employees’ personal information, it’s information that needs safekeeping.
This case should serve as a reminder that corporate safekeeping practices must include protecting data from rogue employees.
Don’t let anyone tell you that something can’t be done because of privacy laws. For example, how many times have you heard someone say, “privacy laws handcuff the ability of law enforcement to protect Canadians” or “businesses can’t compete because of heavy-handed privacy laws”? Yes, in very limited circumstances privacy laws can restrict certain activities. But, these cases are few and far between. In many more circumstances, privacy considerations simply need to be built into the design of a product or service.
Case in point is the recent coverage that Assistant Privacy Commissioner of Canada, Chantal Bernier, has approved the use of airport scanners that can see through your clothes. Who would have thought that the Office of the Privacy Commissioner of Canada would ever approve what have been refered to as “naked” airport scanners? But if you look at the manner in which the scanners will apparently be rolled out, there appears to be a balance between security and privacy considerations. As I’ve previously posted, “Privacy by Design” can help those with a “can-do” attitude.
Regardless of whether I agree that the “naked” airport scanners are lawful (and regardless of whether I’ll choose to walk through one of these scanners myself), it’s great to see an attempt at “Privacy by Design” in action. To be honest, however, my greatest concern is for the poor airport security professionals who may one day have to look at my less than stellar outline. I’m not sure how much they get paid, but it’s probably not enough!
In a press release, the Commissioner expressed shock and disappointment with the fact that the stolen laptops, which contained the personal health information of more 300,000 individuals, were not encrypted. “This is shocking for me…I don’t know what we have to do to drive this message home” said the Commissioner. “The standard in Alberta for storing personal or health information on portable devices is encryption. I can’t accept anything less.” The Alberta incident is strikingly similar to an incident that occurred in Ontario back in 2007. The Ontario incident also involved the theft of a non-encrypted laptop containing personal health information. A review of the incident by Ann Cavoukian, Ontario’s Information and Privacy Commissioner, produced an order for information of this type to be encrypted.
These incidents demonstrate how easily sensitive data can be compromised when stored on laptops. Encryption is a relatively easy way to improve the security of such information. But, where do you start? There are numerous encryption options available. Choices range from free open source encryption software like TrueCrypt to full information security consultations from companies that offer comprehensive data protection services like Seccuris. Regardless of which course you choose, one fact remains the same, encrypting laptops significantly improves security and that’s just smart business.
Have you heard the saying “Just when you think you understand the situation, what you don’t understand is that the situation has changed”? If you think you understand The Personal Information Protection and Electronic Documents Act (“PIPEDA”), get ready… changes may be just around the corner.
PIPEDA was introduced back in 2001. It requires the Canadian Government to review the law every five years. To this end, the House of Commons Standing Committee on Access to Information, Privacy and Ethics (the “House of Commons Committee”) conducted its review and held public hearings from November 2006 to February 2007, where it heard from over 60 witnesses and considered over 30 submissions from a wide range of interested organizations and individuals. I had the pleasure of appearing before the House of Commons Committee to present the Canadian Bar Association’s National Privacy & Access Law Section’s submission, which you can read here. The House of Commons Committee issued its report to Parliament in May 2007 (which outlined 25 recommended changes to the law), to which the Canadian Government subsequently issued its response in October 2007. As part of the Canadian Government’s response, further public consultation on key issues was requested. A link to the Office of the Privacy Commissioner’s reply to this request can be read here and the Canadian Bar Association’s response can be read here.
Changes to PIPEDA may include:
a mandatory breach notification regime that would require organizations to promptly notify affected individuals and to report major data breaches to the Privacy Commissioner of Canada;
amendments to account for the unique circumstances regarding consent in employer/employee relationships; and
modifications to allow organizations to collect, use and disclose personal information as necessary for the conduct of business transactions, such as mergers and acquisitions.
The Industry Canada website targets 2009/10 for the implementation of changes resulting from this first PIPEDA review. Yet, there is no definitive time frame, so stay tuned. Changes may be just around the corner.
Have you heard the term “cloud computing“, but aren’t really clear what it means?
Cloud computing is an umbrella term that refers to the use of Internet-hosted computer services. Think of your server — instead of having one in-house server located on company premises, an organization might opt to buy space on a third-party provider’s server. Other options include software hosting and data storage. By purchasing computing services from a variety of Internet-based providers, your computer needs are housed within a larger “cloud” of computer services.
Some organizations are opting for ”Software as a service” (SaaS), and allowing their data to reside on other company’s servers, or “the cloud“. Users only have to buy the space they need, which allows organizations to save money on their technology costs. Other benefits include access to people with technological know-how, flexibility and reduced maintenance costs.
Cloud computing is not new, but is now embedded into the fabric of modern business operations. In fact, the Los Angeles Times has reported that the city of Los Angeles is considering using Google applications for all of its software needs.
Privacy issues related to cloud computing, however, are profound. For example, many of the security questions that relate to traditional third-party data hosting were raised when a hacker broke into a Twitter employee’s work e-mail account and stole confidential company documents. The World Privacy Forum, meanwhile, has released a 28-page report on some of the privacy issues that relate to cloud computing. The report concludes that sharing information may expose some business users to liability, and emphasizes the importance of checking a cloud provider’s terms of service, privacy policy, and location.
Canadian businesses that engage in cloud computing should be reminded that they must do so in compliance with applicable privacy laws. For example, the Personal Information and Protection of Electronic Documents Act obliges organizations that transfer personal information to third parties to ensure appropriate security safeguards are in place.
They should also be mindful of the raging debate about the perils of cloud computing that has been underway now for some time. While cloud computing has the potential to provide benefits, organizations should ask themselves whether it is worth the risks it poses. You might save money in the short run, but is it worth the potential of a massive privacy breach?
It’s been a thrilling week for my colleagues at Pitblado LLP as it was announced earlier this week that we were to be the 1st Canadian law firm to be a guest blogger on the must-read slaw.ca. Yours truly, three of my colleagues from our firm’s Information & Ideas Practice Group as well as our firm’s librarian each contributed one post a day this week to slaw.ca on cutting edge legal topics. Here’s what we covered…
On Monday, I posted “What Would Happen If One of your Employees Posted a Video of an Irate Customer on YouTube?”, which I cross posted on my blog earlier this week. The post highlights a YouTube video of an irrate customer as a reminder to Canadian businesses of the powers of new technologies such as YouTube and the corresponding need to protect against the dissemination of this type of video through employee privacy training and the adoption and enforcement of privacy and procedures.
On Tuesday, Carol Lynn Schafer posted “Do TOS Have the Final Word on our Fundamental Rights and Freedoms?”, which discusses the controversial effects of Terms of Service on popular websites such as Facebook and Twitter. As Carol Lynn notes, Terms of Service should be drafted with the bigger picture in mind and can no longer be seen as standard agreements that can be treated with a one size fits all approach.
On Wednesday, Jolin Spencer posted “Whose Property Is It, Anyway?”, which discusses the questions that come into play when employees leave their positions. For example, what can an employee take, and what must they leave, when they vacate their position? As Jolin points out, no business wants its intellectual property assets walking out the door with a former employee.
On Thursday, our firm’s librarian, Karen Sawatsky, posted “Legal Research Bootcamp – Winnipeg Style”, which discusses her experience collaborating with members of the Manitoba Bar Association and the Law Society of Manitoba to create a CLE for articling students on legal research. The Legal Research Bootcamp is a first for Manitoba students, and aims to bridge the gap between when students start their articles and when CPLED begins in the fall.
The posting of a YouTube video of a woman throwing a tantrum at the Hong Kong International Airport should serve as a reminder to Canadian businesses that employees these days can (and do) easily record and post videos online from their mobile phones.
The three minute video shows a Cathay Pacific customer yelling and flailing her limbs as she lies on the floor after missing her flight from Hong Kong to San Francisco. I’ve been upset at missing a flight before, but the woman in this video takes things to an entirely new level. The video has drawn over five millions views and nearly 21,000 comments, which has resulted in some incredibly cruel and objectionable online commentary about the woman. Since the release of the video, Cathay Pacific has disciplined the gate worker who recorded the video on his mobile phone (although the video was posted on YouTube by a third party) and the company has issued a formal apology to the woman.
The video is noteworthy because it demonstrates the power of new technologies such as YouTube and the corresponding risks to Canadian businesses. Had the video been recorded by an employee of a Canadian business, subject to Canadian privacy laws, the potential privacy complaint and/or lawsuit by the woman in the video could have been substantial.
Canadian businesses should be reminded of the need to protect against the dissemination of this type of video through employee privacy training and the adoption and enforcement of privacy policies and procedures.
Canadian businesses don’t need to look too far to find examples where more effective employee privacy training may have mitigated, or even prevented, privacy complaints.
The Government of Canada announced today the introduction of anti-spam legislation called the Electronic Commerce Protection Act(“ECPA”) that “aims to boost confidence in online commerce by protecting the privacy and personal security concerns that are associated with spam, counterfeit websites and spyware.”
According to the government’s News Release, the ECPA would allow businesses and individuals to initiate civil actions against anyone who violates the law. The ECPA deals with unsolicited text messages, or “cellphone spam”, as a form of “unsolicited commercial electronic message”.
It would establish a regulatory enforcement regime that would enable the CRTC to impose penalties of up to $1 million for individuals and $10 million in all other cases. The Competition Bureau would use a penalty regime already provided for in the Competition Act, and the federal Privacy Commissioner‘s powers to cooperate and exchange information with her counterparts would be expanded in respect of the Personal Information Protection and Electronic Documents Act.
The ECPA is nearly 70 pages long. Stay tuned to this blog. As soon as I’ve been able to digest the content I’ll post again on how the ECPA is likely going to affect Canadian businesses, especially those enaged in online marketing.
The current global economic climate has led to a growing number of bankruptcy and insolvency proceedings, particularly in the U.S. In dealing with these proceedings, many business leaders have not paid enough attention to the role of privacy law and its impact on the bottom line.
A prime example is the bankruptcy of U.S. online toy retailer, Toysmart.com. Toysmart.com had collected vast amounts of personal information from its online consumers in accordance with its privacy policy, which stated that the company would never share its database with third parties. Despite the promise, Toysmart.com then made attempts to sell the database. The U.S. Federal Trade Commission (“FTC”) then sued Toysmart.com seeking injunctive and declaratory relief to prevent the sale of the database by Toysmart.com. The complaint alleged that Toysmart.com had violated U.S. law by misrepresenting to consumers that personal information would never be shared with third parties, and then disclosing, selling and offering that information for sale. Toysmart.com later settled with the FTC. The settlement agreement forbid the sale of the database except under very limited circumstances.
Of course, Canadian companies are subject to Canadian privacy laws such as PIPEDA, which require the consent of individuals for the disclosure of personal information to third parties. In structuring privacy policies, Canadian companies should consider all outcomes including bankruptcy. As a result, privacy policies should be carefully drafted with consideration of the possibility that personal information may be shared with third parties in the event of bankruptcy. Doing so will almost certainly not be enough to fully comply with Canadian legal requirements, but it’s a prudent step in the right direction – especially in these uncertain economic times.
Businesses are increasingly being asked to reduce their “carbon footprint”. And while many customers are interested in doing business with organizations that are trying to reduce their carbon footprint, many customers are also concerned about their own “digital footprints“.
The Discovery Channel has an interesting online tool that allows you to play a simple scenario by conducting your normal transactions as you would on any given day. Doing so shows you how often you provide your personal information to businesses and governments. You can then play the scenario again to try to reduce your digital footprint. Click here to play!
Businesses can help reduce their customer’s digital footprints by ensuring they only collect the personal information of customers necessary for the purposes identified by the organization and required for particular transactions. Additionally, businesses should avoid collecting personal information indiscriminately. As I’ve mentioned in a previous post, reducing the volume of personal information that a business collects (and is then responsible for safeguarding and destroying in accordance with applicable privacy laws) helps customers to reduce their “digital footprints”. It also helps businesses to comply with privacy laws like PIPEDA and improve customer relations.
Does PIPEDA apply to non-Canadians? It’s a common question.
PIPEDA applies to organizations that collect, use, or disclose “personal information” in the course of a commercial activity. The definition of “personal information” does not specify the residency of the individual to whom the personal information must relate. As a result, organizations are well-advised to manage their personal information holdings in accordance with all of the obligations set forth in PIPEDA regardless of the residency of the individuals to whom information relates. If they don’t, non-Canadians (including U.S. residents) may initiate privacy complaints to the Office of the Privacy Commissioner of Canada.
Ongoing privacy training is a vital tool to assist with privacy law compliance. In this respect, the following Canadian privacy law conferences in the coming months may be of interest to you or others in your organization:
On May 20, 2009, the Manitoba Bar Association will be hosting an IP/Technology Section luncheon where I will be speaking about emerging privacy issues. Of course, you need to be a member or a guest of the Manitoba Bar Association to attend.
From June 17 – 19th, I will be speaking in Winnipeg at the National Credit Institute‘s 2009 CIC National Conference: “Back to our Roots, Forward to our Future” on the privacy law matters affecting those in the credit industry.
The Privacy Security Trust 2009 (PST2009) will be hosting the Seventh Annual International Conference on Privacy, Security and Trust in Saint John, New Brunswick from August 25 – 27, 2009.
The 2009 IEEE International Conference on Information Privacy, Security, Risk and Trust will be held in Vancouver, British Columbia from August 29 – 31, 2009.
If there are other Canadian privacy law conferences in the coming months that I haven’t listed, please post a Comment or drop me an e-mail so I can update this post. If you, or your industry association, are interested in more focussed privacy training, please let me know as I regularly conduct in-house privacy training sessions for clients.
Another day, another development in the Google Street View story. Canada’s Privacy Commissioner and several provincial privacy commissioners have commented on street level imaging technology by releasing a timely Fact Sheet on the related privacy issues.
The commissioners point out that ”a common misconception is that a company doesn’t need your permission to take your photograph in a public place. In fact, one of your key protections under Canadian privacy law is that you should know when your picture is being taken for commercial reasons, and what your image will be used for. Your consent is also needed.”
The Winnipeg Free Press is also running an excellent story in today’s newspaper, which highlights some of the broader issues related to Google Street View. Arthur Schafer, a professor at the University of Manitoba and director of the Centre for Professional and Applied Ethics, comments in the story about the related ethical issues while I comment in the story about the related legal issues.
The looming battle between privacy advocates and Google Street View could have implications beyond Google and its Canadian-based service providers, who are currently taking detailed photos of Canadian cities. I’m quoted in today’s Winnipeg Sun article on this issue, where I argue that the implications of the Google Street View battle could extend to how Canadian privacy laws are interpreted and enforced.
If you’re not ramped up on Google Street View, you may want to read the Wikipedia description, which does a good job of explaining the Google service. David Fraser also has an illustrative blog post, which highlights the remaining privacy issues despite Google’s efforts to blur faces and licence plates.
Despite the fact that Google’s Canadian-based service providers are taking pictures in public places, Canadian privacy laws generally require the consent of individuals for the collection of their personal information. In fact, the first ever Case Summary under PIPEDA dealt with video surveillance activities in public places. In the Case Summary, the former Privacy Commissioner advised the company being investigated that its intended public video surveillance for commercial purposes was unlawful and should not be pursued. More recently, and on point, Canada’s Privacy Commissioner, Jennifer Stoddart, has sent a letter to Google outlining the concerns about Google Street View from a Canadian privacy law perspective.
I recently discussed with Nymity News some of the privacy issues related to third party opt-out websites. Specifically, I highlighted in the interview the risks facing organizations who honour requests from such websites. Marketing research organizations such as those that are members of the MRIA may find the interview of particular interest, but it’s still worth reading regardless of what industry your business operates in if you’re not yet aware of these types of third party opt-out websites.
If you’re a privacy professional, you’re likely overwhelmed with the ongoing task of staying on top of legal, industry and technology developments. As you know, there’s no shortage of issues these days. Hopefully, this blog is helping your efforts!
But if you work for a private sector organization and haven’t yet signed up for the federal Privacy Commissioner‘s e-newsletter entitled Privacy Perspectives, I’d suggest you do. It contains great information and helps to stay on top of things.
If you’re still in need of ongoing assistance and aren’t already a member of the Privacy Forum, you may want to touch base with me to learn more. It has been a super venue over the last 6 years for information sharing and the current members are an excellent group of individuals and first rate privacy professionals.
How is your business dealing with metadata? If you’re scratching your head and asking “what the heck is metadata?” or if you’re drawing a blank about what your business may (or may not) be doing to manage its metadata, then you should definitely read on.
For the basics on metadata, read here. As you’ll learn in more detail, “metadata” is data about data. It’s detailed information that is automatically created about an electronic document when you use Microsoft Word, PowerPoint or Excel. It can include the name of the person or organization that created a document, the date that it was created, the identities of people who modified a document, including the time and day they did so, the name of the computer that was used to create a document and detailed revisions to a document, including past modifications and deleted text not visible on your computer screen. If not properly managed, metadata can help other businesses steal your intellectual property, learn about your business processes and view personal information that you’re legally required to protect under privacy laws.
One practical way to deal with metadata is to use metadata scrubber software. Some are costly but well worth it, including Payne Metadata Assistant and Workshare Protect. There are also free tools available including a Microsoft one (but it is only for Office 2007) and one offered by Javacool Software. Of course, I’d recommend that you work with technology professionals to determine the best metadata scrubber software for your business. Regardless of whether you use one of these or other tools, it’s important that you deal with metadata in some fashion. I hope these links help provide you with a good place to start! Feel free to Leave a Comment below if you know of other metadata scrubber software worth recommending.
As the OPC points out, PIPEDA does not prohibit organizations in Canada from transferring personal information to organizations in other jurisdictions for processing, but Canadian organizations are still accountable and the OPC can investigate complaints and audit privacy practices of Canadian organizations.
an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
The primary means by which an organization can protect personal information that it transfers to a third party for processing is through a contract. Organizations must also be transparent about their privacy practices, including advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction, it may be accessed by the courts, law enforcement and national security authorities.
Check out the OPC’s Guidelines, and if your business hasn’t yet signed privacy contracts with all third parties to whom you transfer or disclose personal information, now may be the time.
I chaired a lively Privacy Forum member meeting yesterday, which included a great discussion on how to get staff “buy-in” on privacy compliance. It’s an important topic because an organization can have comprehensive privacy policies and procedures, but if employees don’t “buy-in” they won’t implement the policies and procedures properly.
The important thing is to develop a culture of privacy within the workplace. Fostering a workplace culture where privacy is valued and respected contributes to good employee morale and mutual trust. It also helps employees to identify privacy issues before they become privacy complaints (which can result in costly grievances, lawsuits or settlements). After all, it’s employees that are on the front line with customers and how employees respond to privacy related questions or concerns can make a big difference.
When I conduct privacy training sessions for clients, I always remind employees that while privacy compliance is the law, it’s also important because good privacy practices can improve customer relations, increase efficiencies and mitigate time-consuming and costly privacy complaints. I also try to make privacy compliance fun! No, this is not a misprint…I said “fun”. Privacy Forum members had some great suggestions on how to make privacy compliance fun and, in doing so, help to get staff “buy-in” on privacy compliance.
Please post a Comment below on ways that you or your organization tries to get staff “buy-in” on privacy.
Privacy professionals will know first hand the importance of conducting regular staff privacy training, which can mitigate customer privacy complaints and (as a result) the overall costs of privacy compliance.I certainly know from my practice that the costs to businesses can be quite significant when having to deal with serious privacy complaints.These costs can include settlements, legal fees and lost productivity.Obviously, it’s better to be proactive and reduce the chances of having to deal with privacy complaints.That’s where regular staff privacy training comes in! Businesses really should conduct staff privacy training on a regular basis – in my view, at least on an annual basis.
In a recent speech to the 10th Annual Privacy and Security Conference in Victoria, B.C., Privacy Commissioner Jennifer Stoddart commented, “Polling for my Office in 2007 found that only a third of all businesses reported having trained staff about their responsibilities under Canada’s privacy laws. This is a huge concern! We recently conducted an analysis of 86 breaches reported to my Office and found that employee awareness and training was the most important contributing factor. It was an issue in more than half of the spills we examined! We found that very basic mistakes – human errors – often lead to breaches. Breaches are caused mostly by employee misconduct and human error, not technological weaknesses.”The full speech is entitled, “A Privacy Check Up For Canadians: Is the Glass Half Empty or Half Full?” and is definitely worth reading.
My August 18, 2008 column in the Winnipeg Free Press provides a definition of the position of Chief Privacy Officer (CPO) as well as some tips to help determine the scope of the role in particular firms.
My April 2, 2008 column in the Winnipeg Free Press discusses the privacy implications resulting from recording telephone calls, and why it is important to let your customers know if you are recording their calls to you.
My March 5, 2008 column in the Winnipeg Free Press discusses some of the problems that can occur when trying to sell a business, if you haven’t put privacy policies in place.
This blog provides practical assistance to Canadian businesses so they can better deal with issues related to privacy, access to information, online reputation management, intellectual property and technology legal matters. I hope you subscribe to this blog via RSS (below) or via e-mail (below) so that you can receive timely updates to new posts. Thanks, Brian
This blog is presented for informational purposes only. Content does not constitute legal advice or solicitation and does not create solicitor-client relationship. Views expressed are solely the author's and should not be attributed to any other party, including Pitblado LLP or its clients. The author makes no guarantees regarding the accuracy or adequacy of the information contained herein or linked to via this blog. The author is not able to provide free legal advice. If you are seeking advice on specific matters, please contact Brian Bowman at (204) 956.3520 or bowman@pitblado.com, but please be aware that any unsolicited information sent to the author cannot be considered to be solicitor-client privileged. Comments published on this blog do not reflect the views of Brian Bowman, Pitblado LLP or its clients.