Dealing with privacy complaints (video)

May 23, 2012

Has your organization received a privacy complaint from one of your customers or employees?  Privacy complaints are occurring more frequently these days because of new privacy laws and increasing privacy compliance expectations from customers and employees.  In this brief video, I chat about how your organization can best respond to privacy complaints. Hope it helps.

Leave a Comment » | PIPA, PIPEDA, Privacy, Privacy Breach | Tagged: , , , , | Permalink
Posted by Brian Bowman

Discussing Bill C-30 with CityTV Winnipeg (Video)

March 1, 2012

I recently discussed Bill C-30 (lawful access) with host Jeremy John on CityTV’s Breakfast Television Winnipeg. Click here to watch the discussion about this controversial online surveillance Bill.

Leave a Comment » | Access to Information, Government, Internet, Lawful Access, Monitoring, Privacy | Tagged: , , , , | Permalink
Posted by Brian Bowman

Toyota advertising case raises privacy issues

November 4, 2011

In 2009, a woman initiated a lawsuit against a Californian advertising firm and Toyota U.S.A. because of an aggressive advertising campaign that she claimed was designed to make individuals believe they were being stalked by a criminal (which, in fact, turned out to be fictitious).  While the charges are now being dealt with by the Los Angeles Superior Court the case raises issues in respect of the application of privacy principles here in Canada.

In 2008, Toyota Matrix advertised the “Your Other You” campaign which targeted young males. It encouraged individuals to provide someone else’s personal information, who would then receive an invitation to a fake personality test.  What really happened was, the “victim” ended up receiving numerous disturbing emails from an imaginary soccer hooligan with a pitbull named Trigger.  This impersonator claimed to be on their way to the victim’s house, who had no idea it was a hoax. In order to promote the advertising campaign, a fake social networking account for the stalker was even set up.

How would a similar case play out here in Canada? Under the PIPEDA framework , there would possibly be a violation of the law because of the alleged collection, use and disclosure of personal information without consent. Further, PIPEDA’s requirement that the “identified purposes” of any collection, use or disclosure of personal information would not likely met. Finally, the reasonableness test, enshrined in PIPEDA, would probably be violated. In short, the facts pertaining to the case could put the relevant parties in the crosshairs of the Office of the Privacy Commissioner of Canada and courts. As a result, the case should serve as a warning to advertising agencies to ensure that privacy law considerations are thoroughly canvassed with legal counsel before initiating campaigns involving personal information – especially where people are submitting friends’ data.

1 Comment | Facebook, Marketing, PIPEDA, Privacy, Social Networking Websites | Tagged: , , | Permalink
Posted by Brian Bowman

Is there such a thing as a “good” records retention service provider?

March 17, 2011

Of course, the answer is yes. But who’s the best service provider in Canada?

You see Canada’s private-sector privacy legislation (PIPEDA) requires organizations to retain personal information only “as long as necessary”, regardless of the format in which such information is held. So emails and paper records alike should only be retained as long as necessary.

I know that many organizations across Canada are struggling to develop business-friendly retention schedules that comply with the law. In some cases, these businesses are outsourcing their efforts. Do you work with such a company? Does your company offer these services? If so, I know that readers of this blog would welcome any positive recommendations. Feel free to post a “Comment” below with your thoughts.

Leave a Comment » | PIPEDA, Privacy, Retention | Tagged: , | Permalink
Posted by Brian Bowman

What is device fingerprinting, or machine ID?

November 4, 2010

Some online banks, e-commerce merchants and Internet-based market research firms are turning to a new technology called device fingerprinting (or machine ID as it’s often called) for online verification and fraud detection. Unlike cookies, however, which can be blocked, filtered and deleted, device fingerprinting is invisible to consumers. For website owners that use the technology, adequate disclosures, consent and safeguards are required, at minimum, to comply with privacy laws.  

In fact, device fingerprinting works so well that many businesses that use it might not even be aware that they’re doing so. Is your organization using the technology? If so, it’s vital that your organization’s use of device fingerprinting complies with applicable privacy laws.

To learn more about device fingerprinting click here to view a presentation that I recently delivered alongside Steven Johnston (Senior Security and Technology Advisor, Office of the Privacy Commissioner of Canada) and David Stark (CIPP, Vice President, Compliance and Privacy Officer, GFK Group) to the International Association of Privacy Professionals in Baltimore, Maryland. As you’ll see, the presentation includes an overview of device fingerprinting, identifies relevant privacy law issues (my contribution to the presentation), the OPC’s perspective and provides practical examples.   

Thanks to the IAPP for the opportunity to present and compliments to Steven Johnston and David Stark for excellent remarks.

Leave a Comment » | Device Fingerprinting, PIPEDA, Privacy, Technology | Tagged: , , , , | Permalink
Posted by Brian Bowman

B.C.’s Privacy Commissioner releases Privacy Guidelines for Landlords and Tenants

October 22, 2010

B.C.’s Privacy Commissioner, Elizabeth Denham, has just released Privacy Guidelines for Landlords and Tenants.

In B.C., landlords and property managers acting on their behalf must comply with B.C.’s Personal Information Protection Act (“B.C.’s PIPA”). The guidelines are intended to assist landlords and property managers in discharging their duties under B.C.’s Residential Tenancy Act in a manner that respects the privacy of tenants and promotes transparency in the operation of landlord and tenant relationships.

Despite the B.C. focus, landlords and property managers in other jurisdictions would be well-served by reading the guidelines – especially given that B.C.’s PIPA is “substantially similar” to PIPEDA.

Leave a Comment » | PIPA, Privacy, Privacy Commissioner | Tagged: , , , | Permalink
Posted by Brian Bowman

How safe is your scan? Hard drives on copy machines pose risk

October 20, 2010

Does your office have a copy machine? If so, then this post is worth reading.  CBC news has just released the results of an investigation that exposes the security risks associated with modern copy machines, specifically, the ease at which information scanned into certain copiers can be tapped. Just think about the information that gets scanned into your office copier. Personal information. Confidential corporate information such as client data. Even intellectual property. It’s a scary thought if you haven’t done your due diligence, especially considering that privacy laws can apply to certain data undoubtedly scanned into your copy machine. Check out CBC’s online story here or TV segment here. And if you’d like to learn more, you may also want to read my post from earlier this year which provided a link to a similar CBS news story.

Leave a Comment » | Data Encryption, Data Protection, Identity Theft, Privacy, Privacy Breach, Safeguarding, Safekeeping, Security, Technology | Tagged: , , , , , , | Permalink
Posted by Brian Bowman

Lessons from the Veteran Affairs Canada privacy breach

October 8, 2010

The recent headlines over the Veteran Affairs Canada privacy breach should serve as a useful reminder to all organizations – public and private sector – of the necessity to implement internal policies and procedures for the management of personal information. Much attention is paid these days by the media to privacy breaches that involve external parties, such as hackers, who foil the security safeguards of organizations. However, in my experience the bigger threat to privacy if often from within an organization.

In this recent case involving Veteran Affairs, a veteran had filed a complaint with the Office of the Privacy Commissioner of Canada (“OPC”) alleging that Veterans Affairs had violated the Privacy Act by including excessively detailed and sensitive medical information in briefing notes to the Minister of Veterans Affairs. The complainant also alleged that Veteran Affairs had transferred his medical file to a hospital administered by Veterans Affairs without his consent.

The OPC has issued the following formal recommendations to Veterans Affairs, but they should also serve as useful recommendations to other organizations:

  • “Take immediate steps to develop an enhanced privacy policy framework with adequate protections and controls to regulate access to personal information within the department.
  • Revise existing information-management practices and policies to ensure that personal information is shared within the department on a need-to-know basis only.  Personal information, including but not limited to sensitive medical information, should not be shared with programs that have no operational requirements for access to such information.
  • Provide training for employees about appropriate personal information-handling practices.
  • Review procedures to ensure that consent is obtained prior to personal information being transferred to veterans’ hospitals.”

Leave a Comment » | Access to Information, Data Protection, Due Diligence, Government, Privacy, Privacy Breach, Privacy Commissioner of Canada, Safeguarding, Safekeeping, Security Breach, Training | Tagged: , , , , , | Permalink
Posted by Brian Bowman

Another day, another privacy breach…

October 6, 2010

CBC News is reporting that ”[g]arbage bags filled with confidential financial information were found blowing around in a [Winnipeg] North End back lane Tuesday, and people living in the area say they’re furious because of it. The bags contain tax return documents that include people’s names, social insurance numbers and in many cases, addresses and other sensitive financial information.”

This and other similar news stories should serve as a reminder that PIPEDA requires organizations to exercise care in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information (for example, don’t dispose of sensitive tax information records in a back lane). Other provincial laws, such as Alberta’s PIPA and B.C.’s PIPA, have similar requirements. Disposal or destruction policies and procedures should focus on physical, organizational and technological measures.

Leave a Comment » | Identity Theft, PIPEDA, Privacy, Privacy Breach, Security Breach | Tagged: , , , , | Permalink
Posted by Brian Bowman

Rite Aid Fined $1 Million (U.S.) for Improperly Disposing Personal Information

August 9, 2010

Hogan Lovells LLP is reporting that Ride Aid has agreed to pay $1 million dollars (U.S.) to settle violations of U.S. health information privacy requirements. Interestingly, the FTC has ordered Rite Aid to cease misrepresenting its information security practices to customers and establish other personal information management securities safeguards.

As I have previously posted, we’ve seen million dollar privacy awards here in Canada but what’s interesting is the fact that the FTC took issue with an organization “misrepresenting” its privacy protection practices. It’s a good reminder that simply having a privacy policy doesn’t cut it. Businesses must ensure that internal policies and procedures exist and are enforced on an ongoing basis in order to live up to commitments made in privacy policies.

Leave a Comment » | Privacy | Tagged: , , | Permalink
Posted by Brian Bowman

« Previous Entries
Follow

Get every new post delivered to your Inbox.

Join 104 other followers