Has your organization received a privacy complaint from one of your customers or employees? Privacy complaints are occurring more frequently these days because of new privacy laws and increasing privacy compliance expectations from customers and employees. In this brief video, I chat about how your organization can best respond to privacy complaints. Hope it helps.
I recently discussed Bill C-30 (lawful access) with host Jeremy John on CityTV’s Breakfast Television Winnipeg. Click here to watch the discussion about this controversial online surveillance Bill.
You see Canada’s private-sector privacy legislation (PIPEDA) requires organizations to retain personal information only “as long as necessary”, regardless of the format in which such information is held. So emails and paper records alike should only be retained as long as necessary.
I know that many organizations across Canada are struggling to develop business-friendly retention schedules that comply with the law. In some cases, these businesses are outsourcing their efforts. Do you work with such a company? Does your company offer these services? If so, I know that readers of this blog would welcome any positive recommendations. Feel free to post a “Comment” below with your thoughts.
Some online banks, e-commerce merchants and Internet-based market research firms are turning to a new technology called device fingerprinting (or machine ID as it’s often called) for online verification and fraud detection. Unlike cookies, however, which can be blocked, filtered and deleted, device fingerprinting is invisible to consumers. For website owners that use the technology, adequate disclosures, consent and safeguards are required, at minimum, to comply with privacy laws.
In fact, device fingerprinting works so well that many businesses that use it might not even be aware that they’re doing so. Is your organization using the technology? If so, it’s vital that your organization’s use of device fingerprinting complies with applicable privacy laws.
To learn more about device fingerprinting click here to view a presentation that I recently delivered alongside Steven Johnston (Senior Security and Technology Advisor, Office of the Privacy Commissioner of Canada) and David Stark (CIPP, Vice President, Compliance and Privacy Officer, GFK Group) to the International Association of Privacy Professionals in Baltimore, Maryland. As you’ll see, the presentation includes an overview of device fingerprinting, identifies relevant privacy law issues (my contribution to the presentation), the OPC’s perspective and provides practical examples.
Thanks to the IAPP for the opportunity to present and compliments to Steven Johnston and David Stark for excellent remarks.
B.C.’s Privacy Commissioner, Elizabeth Denham, has just released Privacy Guidelines for Landlords and Tenants.
In B.C., landlords and property managers acting on their behalf must comply with B.C.’s Personal Information Protection Act (“B.C.’s PIPA”). The guidelines are intended to assist landlords and property managers in discharging their duties under B.C.’s Residential Tenancy Act in a manner that respects the privacy of tenants and promotes transparency in the operation of landlord and tenant relationships.
Despite the B.C. focus, landlords and property managers in other jurisdictions would be well-served by reading the guidelines – especially given that B.C.’s PIPA is “substantially similar” to PIPEDA.
Does your office have a copy machine? If so, then this post is worth reading. CBC news has just released the results of an investigation that exposes the security risks associated with modern copy machines, specifically, the ease at which information scanned into certain copiers can be tapped. Just think about the information that gets scanned into your office copier. Personal information. Confidential corporate information such as client data. Even intellectual property. It’s a scary thought if you haven’t done your due diligence, especially considering that privacy laws can apply to certain data undoubtedly scanned into your copy machine. Check out CBC’s online story here or TV segment here. And if you’d like to learn more, you may also want to read my post from earlier this year which provided a link to a similar CBS news story.
The recent headlines over the Veteran Affairs Canada privacy breach should serve as a useful reminder to all organizations – public and private sector – of the necessity to implement internal policies and procedures for the management of personal information. Much attention is paid these days by the media to privacy breaches that involve external parties, such as hackers, who foil the security safeguards of organizations. However, in my experience the bigger threat to privacy if often from within an organization.
In this recent case involving Veteran Affairs, a veteran had filed a complaint with the Office of the Privacy Commissioner of Canada (“OPC”) alleging that Veterans Affairs had violated the Privacy Act by including excessively detailed and sensitive medical information in briefing notes to the Minister of Veterans Affairs. The complainant also alleged that Veteran Affairs had transferred his medical file to a hospital administered by Veterans Affairs without his consent.
The OPC has issued the following formal recommendations to Veterans Affairs, but they should also serve as useful recommendations to other organizations:
- Revise existing information-management practices and policies to ensure that personal information is shared within the department on a need-to-know basis only. Personal information, including but not limited to sensitive medical information, should not be shared with programs that have no operational requirements for access to such information.
- Provide training for employees about appropriate personal information-handling practices.
- Review procedures to ensure that consent is obtained prior to personal information being transferred to veterans’ hospitals.”
CBC News is reporting that ”[g]arbage bags filled with confidential financial information were found blowing around in a [Winnipeg] North End back lane Tuesday, and people living in the area say they’re furious because of it. The bags contain tax return documents that include people’s names, social insurance numbers and in many cases, addresses and other sensitive financial information.”
This and other similar news stories should serve as a reminder that PIPEDA requires organizations to exercise care in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information (for example, don’t dispose of sensitive tax information records in a back lane). Other provincial laws, such as Alberta’s PIPA and B.C.’s PIPA, have similar requirements. Disposal or destruction policies and procedures should focus on physical, organizational and technological measures.
Hogan Lovells LLP is reporting that Ride Aid has agreed to pay $1 million dollars (U.S.) to settle violations of U.S. health information privacy requirements. Interestingly, the FTC has ordered Rite Aid to cease misrepresenting its information security practices to customers and establish other personal information management securities safeguards.