Laptop searches at the border…again

June 1, 2010

Over a year ago, I commented on the privacy issues related to taking a laptop, cellphone or iPod across the U.S. border.  As reported here by Computerworld, a federal court has ruled in Michigan that the U.S. government has the right to “seize and transport a computer to a secondary inspection facility”, as long as there is a reasonable suspicion. Given the proliferation of tech devices in today’s workplace, you may want to consider if your business has the necessary policies and practices in place to protect data that’s probably leaving your doors today, and possibly going over the border via laptops and other mobile devices.

Leave a Comment » | Airport Security, Data Protection, Laptops, Mobile devices | Tagged: , , | Permalink
Posted by Brian Bowman

Feds introduce amendments to PIPEDA, re-introduce Anti-Spam Bill

May 25, 2010

The federal government introduced legislation today to amend PIPEDA and re-introduce the Anti-Spam Bill. I’ve previously posted here regarding the anticipated changes to PIPEDA and here about the Anti-Spam Bill.

From today’s news release:

The Honourable Tony Clement, Minister of Industry, and the Honourable Denis Lebel, Minister of State (Economic Development Agency of Canada for the Regions of Quebec), today announced two steps that the Government of Canada is taking to enhance the safety and security of the online marketplace. Together, the tabling of amendments to the legislation protecting the personal information of Canadians (Personal Information Protection and Electronic Documents Act, or PIPEDA) and the reintroduction of anti-spam legislation in the House of Commons (the proposed Fighting Internet and Wireless Spam Act, or FISA) are important steps towards positioning Canada as a leader in the digital economy.

Here’s the full Industry Canada news release.

(Hat tip to David Fraser’s Canadian Privacy Law Blog )

Leave a Comment » | Anti-Spam Legislation, Data Protection, PIPEDA, Privacy | Tagged: , , , | Permalink
Posted by Brian Bowman

Copy machines, a security risk?

May 11, 2010

CBS News has an excellent investigative report here (on YouTube) about the security risks associated with copy machines. Members of the Privacy Forum will already know about this issue because we’ve previously highlighted it and relevant risk mitigation steps in the Canadian privacy law context. However, if you’re not aware of the issue then this report is a “must-see”.

Leave a Comment » | Data Encryption, Due Diligence, Identity Theft, Privacy, Safeguarding, Safekeeping, Security, Technology | Tagged: , , , , , | Permalink
Posted by Brian Bowman

A Conversation with Gary Dickson, Q.C.

May 5, 2010

Continuing a series of blog posts that I’m calling “A Conversation with…“, I’m really pleased to post the following conversation with the Information and Privacy Commissioner of Saskatchewan, Gary Dickson, Q.C.

Gary Dickson was appointed as Saskatchewan’s first full-time Information and Privacy Commissioner back in 2003, and he was re-appointed in 2009 for a further five-year term.  That’s great news because Gary Dickson has been outstanding in his role as Commissioner. On a personal note, I’ve been thrilled to watch his many successes as Commissioner. I’ve known Gary for many years. In fact, it was he who suggested that I get involved with the Canadian Bar Association at a time when some of us were trying to form what is now the CBA’s National Privacy and Access Law Section

Thanks to Commissioner Dickson for agreeing to take part in this online Q & A conversation.  CFL fans may find some humour in the last Q & A below. Go Bombers! If you’d like to learn more about Commissioner Dickson or the Office of the Saskatchewan Information and Privacy Commissioner (“IPC”), I’d encourage you to visit the IPC’s website.

Q. You were previously an Alberta MLA. In that capacity, you were involved in privacy law development as the critic for the Freedom of Information and the Protection of Privacy portfolio, and also on several important privacy law committees and panels. What’s it like to now be involved with privacy as the Information and Privacy Commissioner of Saskatchewan?

A. The experience is exciting, stimulating, and almost always challenging. I am very fortunate that our office has a committed team of excellent staff who are focused on ensuring that Saskatchewan residents enjoy the full benefit of our provincial access and privacy laws. I’m very lucky to continue to be involved with such a fascinating area but from a very different perspective than that of a lawmaker. It has been very useful to have had that experience in the development of access and privacy legislation before I assumed the new Commissioner role in Saskatchewan. I hope that I am more aware and more sympathetic to the challenges and issues that arise with any access and privacy law for front line workers. It has certainly motivated me to promote wherever possible making such laws simpler and more accessible to the people who must administer them and for those who are the ‘data subjects’. I have also enjoyed the opportunity to modestly influence the way that our access and privacy laws are viewed and understood. My experience in Saskatchewan has been that those who work in public bodies or health trustee organizations genuinely want to do the ‘right thing’ in terms of transparency and privacy protection but are often unsure on where the line is drawn and are unfamiliar with best practices that have evolved over the last 26 years in Canada. As a result, a major focus for my initial five years in Saskatchewan has been on raising awareness and creating tools to assist those workers meet their statutory responsibilities.

Q. While Alberta, Quebec, British Columbia and Ontario (for personal health information only) have provincial privacy laws that are “substantially similar” to PIPEDA, Saskatchewan does not. Is it time for that to change?

A. I have for the last six years encouraged the former provincial government and now the current government to carefully consider the advantages of adopting a PIPA type law based on the B.C. and Alberta experience. As it stands, our fundraising foundations and NGOs, including those that deal with significant amounts of sensitive, prejudicial personal information are effectively unregulated. We often hear complaints from employees working in private businesses (not federal works, undertakings, etc.) who are extremely disappointed and upset when we tell them that they do not have the same privacy protection guaranteed to all public sector employees in Saskatchewan. I must acknowledge that the federal Privacy Commissioner has recently undertaken a pilot project in Saskatchewan to raise awareness of PIPEDA but this exercise also has highlighted how big the knowledge deficit is in the small and medium sized business sector. I remain of the view that Saskatchewan individuals, businesses and charitable NGOs should all benefit from a simple private sector privacy law. This could be designed to complement and harmonize with our public sector FOIP and Local Authority FOIP Acts and our Health Information Protection Act. It would allow for a more seamless kind of privacy protection that would be simpler for those organizations and for residents. I notice that the impetus for PIPA in BC and Alberta was really business organizations such as Chambers of Commerce realizing that PIPEDA is in some respects cumbersome and deficient for the SME sector. Business organizations in Saskatchewan do not appear to have adopted that view.

Q. The Saskatchewan Gaming Corporation has been recognized as a positive privacy story. What has it done, and what role has your office had in this development?

A. This is a good example of how an Information and Privacy Commission office can perhaps achieve more through consultation than by emphasizing the enforcement role. We started out a year ago with a complaint that the Casino Box Office in Regina required anyone purchasing a ticket for a show to provide name and contact information even if purchasing the ticket with cash. When we followed up with the Saskatchewan Gaming Corporation that operates the casinos in Regina and Moose Jaw, we found no senior identified FOIP Coordinator or Privacy Officer, no appropriate policies and procedures and no comprehensive training program for staff. Instead of focusing solely on the collection of personal information by the Box Office, we spent the better part of the year working with the Corporation in fundamentally reorganizing to meet its FOIP responsibilities as a ‘government institution’. With the assistance of a Portfolio Officer from our OIPC, the Corporation made a senior Vice President the new Privacy Officer and FOIP Coordinator. Comprehensive policies were put in place and a new FOIP training program rolled out. In the casino, the Box Office now only collects personal information if the ticket purchaser volunteered that information but it is no longer mandatory. In addition, prominent signage now advises customers of the Corporation’s information collection practices. There is also new literature readily available to customers. I think that as a result of our collaboration the Corporation and its leadership now view our office as a useful resource and as an office genuinely committed to operating on the basis of cooperation and collaboration.

Q. You’ve published a best practices guide for mobile device security. It’s getting easier to collect and store personal information, but are we keeping up with our privacy responsibilities in the meantime?

A. I’m afraid that privacy risks are not always top-of-mind for organizations embarking on new IT programs, systems, etc. Although we have developed a Privacy Impact Assessment tool available on our website, there is no statutory requirement that a PIA be done by a public body or health trustee before proceeding with new technology. What is perhaps even more troubling is that we see problems with old technology. Our office brought out a FAX advisory after we found a number of health information trustees didn’t appreciate that when the modern multi-use copier machine is sold as surplus equipment it likely will contain memory of the documents it has processed and perhaps substantial amount of personal health information. Look at the number of cases that have come to Information and Privacy Commissioners across the country that involved theft of unencrypted laptops. So, the short answer is that many organizations are not keeping up with their privacy responsibilities. The education and compliance challenge continues apace.

Q. Your office opened more than double the amount of case files in 2009 than it did in 2008. Is this number going up because of inadequate privacy practices, because the public is becoming more aware of its privacy rights, or both?

A. Good question. I think the answer is some of both. I believe there is significantly higher privacy awareness with the organizations that my office oversees and also greater public awareness. The difficult question is how accurately we can assess what is going with all approximate 3000 organizations that we oversee given that we are largely in a reactive role. In any given year if we are dealing with 200 organizations are these just the few ‘bad apples’ or is this indicative of widespread non-compliance. We simply don’t have the resources to be able to accurately assess and catalogue privacy compliance province wide. At the end of the day however, whatever the reason for the large increase in case files there is an indication that a lot more work is yet to be done to move to a more pervasive privacy protective culture.

Q. Looking forward, what kind of privacy developments should we watch for in 2010?

A. One of the interesting ‘growth’ areas will be the electronic health record. Our office just issued our first Investigation Report (H2010-001) dealing with our electronic health record now in development. This involved a pharmacist who entered the Pharmaceutical Information Program database on nine different occasions to view medication profiles for three individuals who were not patients/customers of that pharmacist of the pharmacy he worked for. We identified a number of problems in terms of HIPA compliance with the pharmacy, the regional health authority and the Ministry of Health. We also issued more than 20 recommendations for remedial action. Since the electronic health record is still some distance from completion, I anticipate that there may be more of this type of complaints touching on some element or another of the E.H.R. In fact, at the end of my Investigation Report, I included a Postscript which incorporated a number of broader considerations that this particular case highlighted.

We will be carefully monitoring changes to our health information regulations that enable regional health authorities to disclose certain personal health information of patients to hospital foundations without prior consent of those patients.

Finally, we are witnessing a number of new information and data-sharing initiatives with Executive Government and we expect to be busy considering these initiatives in the next few years.

Q. And, finally, how many points do you think the Winnipeg Blue Bombers will beat the Saskatchewan Roughriders this year in the Labour Day Classic game?

A. I love the fact that all of those Bomber fans come to Regina and generously spend their dollars in our hotels and restaurants and I always feel badly for their long drive back to Winnipeg. Sorry Brian but I don’t see that the return trip to Winnipeg is likely to be any more joyous in 2010!!

Leave a Comment » | Mobile devices, PIPA, Personal Information, Privacy, Privacy Commissioner, Saskatchewan Gaming Corporation, Security | Tagged: , , , , , , , | Permalink
Posted by Brian Bowman

Should you say “no” to the police?

April 7, 2010

Imagine this scenario… The police show up at your office and demand access to records relating to one of your customers. You want to help the police (as you should), but are concerned about violating your customer’s privacy rights. What should you do?

Well, the first thing you should do is ask the police for written documentation relating to their request. You should also immediately contact a lawyer with appropriate expertise because this type of scenario can be a legal minefield. For example, are you actually dealing with the police or some bold scam artist? Do the police have the legal authority to demand the requested information? Should they have a warrant?

Presuming that you end up providing the records to the police, you’ll need to ensure that you’re not providing too much information. If the records of your customer are co-mingled with another individual, you’ll need to consider whether you can legally provide the police with access to the other person’s information. Are you then barred from telling the customer that the police were at your office? What sort of internal records should you keep to document that the police accessed your files? How long do you need to keep those internal records?

It’s never fun to say “no” to the police. They are, after all, typically armed. But hopefully the police will make it easy for you to satisfy yourself, and your lawyer, that working cooperatively with them won’t violate your customer’s privacy and unnecessarily exposing your business to liability.

2 Comments | Access to Information, Due Diligence, Lawful Access, Privacy | Tagged: , , , , | Permalink
Posted by Brian Bowman

A Conversation with Dr. Ann Cavoukian, Ontario’s Information and Privacy Commissioner

March 1, 2010

Continuing a series of blog posts that I’m calling “A Conversation with…“, I’m delighted to post the following conversation with Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian.

Dr. Cavoukian leads a dynamic team of professionals at the IPC who are at the forefront of addressing today’s privacy challenges.  Her depth of understanding of privacy issues combined with her passion for privacy has made for a powerful and learned force in Canada’s privacy world.

Thanks to Dr. Cavoukian for agreeing to take part in this online Q & A conversation.  If you’d like to learn more about Dr. Cavoukian, the IPC, or the issues raised in this conversation, I’d encourage you to visit the IPC’s website.

Q. In one of my previous blog posts, Jennifer Stoddart explained how she got involved in the world of privacy.  How about you?

A.  I have always had an interest in human rights, but my direct introduction to the privacy world came as a result of my work as the Chief of Research for the Attorney General of Ontario. As part of the role I completed a program evaluation of the Public Complaints Commission headed by (now Justice) Sidney B. Linden. He was aware of my work with the Canadian Civil Liberties Association, among other things, and when Justice Linden was appointed as the first Information and Privacy Commissioner of Ontario in 1987, he asked me to join him as the Director of Investigations. I haven’t looked back since!

Q.  One of your significant achievements has been your development and advocacy of “Privacy by Design”. Can you explain the concept behind Privacy by Design?

A.  The privacy landscape of the early ‘90s had become increasingly challenging – the volume of personal information collected was growing, as were the risks posed by increasingly sophisticated and interconnected technologies.  It became clear to me that relying solely on compliance with regulation and legislation would no longer be sufficient to safeguard the protection of personal information.  Instead, organizations would need to operate in an environment of default privacy protection.  Those which could do so, I recognized, would gain a competitive advantage.

This is the context in which I developed Privacy by Design (PbD), my philosophy of embedding privacy into the design of three broad application areas:  information technology; business practices; and physical design/infrastructure.  Instead of treating privacy as an afterthought – “bolting” it on after the fact – I argued that privacy should be regarded as a design feature and built right into the system, from the outset.  PbD shatters the zero-sum paradigm which trades off privacy against security and functionality.  It is positive-sum, or doubly-enabling “win-win” in nature, demonstrating that it is possible to protect privacy without compromising other legitimate requirements, such as security or functionality.

You can find our “7 Foundational Principles” of PbD at www.privacybydesign.ca.  To summarize, PbD seeks to establish privacy as the default by embedding it in system design.  It is proactive in nature – already in place when data is first collected, it describes a comprehensive “cradle to grave” approach to information management.  In being proactive, it seeks to prevent data breaches from occurring, rather than prescribing remedial actions.  Importantly, it demonstrates respect for user privacy by ensuring that its component parts and operations are transparent and subject to independent verification.

Q.  Who should be aware of, and consider following, the principles of Privacy by Design?

A.  Broad spectrums of people within most organizations should be aware of Privacy by Design – certainly anyone with influence over how personal information is managed.

Personal information is an asset, the value of which is protected and enhanced by a suite of security practices and business processes. Regardless of industry sector, whether the organization is large or small, public or private, whether it is retained in house or out-sourced, executive leadership and managers responsible for the management of personal information need to carefully consider how to build privacy protections directly into their operations.

I have a new title for those who commit themselves and their organizations to the principles of Privacy by Design – I am appointing them as PbD Ambassadors.  Those who wish to learn more can visit our Privacy by Design website, which houses all of the PbD resources developed by my Office over the years.  While there, I hope people will take the time to share their own PbD experiences or questions with our growing PbD community on the Global Forum.  You can now also follow PbD on Twitter @embedprivacy.

I remind people that Privacy by Design was not developed for use in an ivory tower.  I always intended it to result in real and positive changes in our everyday lives.

Q.  So can you give us an example of the “win-win” approach of Privacy by Design in action?

A.  An example that really brought Privacy by Design to life is the work being undertaken by our mass transit system – the Toronto Transit Commission (TTC), in testing and deploying encryption-based video surveillance technology.

In the autumn of 2007, the Toronto Transit Commission (TTC) announced plans to expand its video surveillance program on both surface vehicles and within the subway system. In response to a formal complaint, I launched an investigation. I found that the TTC’s expansion of its video surveillance system did not contravene any applicable laws. However, I strongly urged the TTC to adopt privacy-enhancing video surveillance technology that was being developed at the University of Toronto by Karl Martin and Professor Kostas Plataniotis.

Using innovative object-based encryption, the technology completely obscures the images of individuals who appear as the subjects of video surveillance. However, unlike current permanent masking techniques, the technology enables the images to be decrypted at a later time, only by authorized staff, when an incident occurs that demands further investigation for safety or security purposes.

This new technology, in its essence, lays to rest the outdated zero-sum paradigm, where one party wins and one party loses. It ushers in a new era in “positive-sum” thinking where both parties may “win” and neither party must, by necessity, lose. Positive-sum privacy-enhancing technologies (I call them PETs Plus) ultimately enable the co-existence of privacy and security, side by side, without forfeiting one for the other, “win-win,” not “win-lose.”

For the full report, see Privacy and Video Surveillance in Mass Transit Systems: A Special Investigation Report.

Q.  One of the first virtual strip search scanners was recently installed at Toronto’s Lester B. Pearson International Airport. What are your thoughts about the privacy implications of these scanners?

A.  I feel it’s important that we understand exactly what this technology does. The public should know what types of images are being produced of them, and what happens with those images. That’s why I chose to personally experience the Whole Body Imaging (WBI) system in both Toronto and Washington D.C. – to assess first-hand how passengers are treated.

From a privacy perspective, my WBI experience highlighted several important points. The scanned images displayed are not actual pictures and do not contain any unique personal identifiers (there is no way for someone to identify the image as my own). The screening site where the scanner images are viewed is located in a windowless, secure room located a significant distance away from the open scanning area. The personnel viewing the images are not able to visually connect images with the actual passengers being scanned. Also, the machines are not able to record, copy or store any images. Finally, the personnel who review the scanned images are not allowed to have cameras, cell phones or any other recording devices in the secure viewing room.

I have always believed that privacy needs to be built directly into technology – privacy by default. Improved airport security need not come at the expense of privacy – both may be achieved together, in a positive-sum manner.

Q.  Business professionals consult this blog (at least, I like to think they do!). Based on your experience as Ontario’s Information and Privacy Commissioner, can you identify an area where businesses fall short in the realm of privacy and provide tips to help address the problem?

A.  It is a sad fact that many privacy breaches occur largely because of poor information management practices by organizations, and the volume of the information at risk grows with the ever increasing collection of personal information.

As Commissioner, half of the Health Orders that I have issued under Ontario’s Personal Health Information Protection Act (PHIPA) were the result of personal health records being abandoned or disposed of in an unsecure manner. Identity theft is one of the fastest growing forms of consumer fraud in North America, costing Canadians millions of dollars a day and billions of dollars a year.

That is why it is crucial for all organizations, large, medium or small, to engage in the practice of “secure destruction.” The goal of secure destruction is to have records containing any personal information permanently destroyed or erased in an irreversible manner which ensures that the record cannot be reconstructed in any way.

For the effective secure destruction of records, organizations need to ensure that they match the destruction method to the media. For paper records this means using cross-cut shredders which do not allow for records to be reconstructed. For electronic media such as DVD’s or USB keys, the media should be physically destroyed.

Further, if an organization is hiring an external agent to destroy records, they need to be selective. Look for a provider that is accredited by an industrial trade association or is willing to commit to upholding its principles, including undergoing independent audits. Always check references, and insist on a signed contract spelling out the terms of the relationship, to ensure end-to-end lifecycle protection. Remember, you can outsource the service, but you can never outsource accountability.

For more information, please see Fact Sheet #10, Secure Destruction of Personal Information .

Q.  Looking forward, what kind of privacy developments should we watch for in 2010?

A.  The privacy landscape is continually changing and posing new challenges – particularly in this age of information technology where personal information about individuals is increasingly collected and stored indefinitely.

In addition to daily developments on the “Cloud” and Web 2.0, one of the areas we are focusing on in 2010 is the Smart Grid – the modernization of the current electrical grid with a view to more efficient energy usage and delivery. This will involve the increased collection, use and disclosure of end users’ personal information. I have identified privacy as the real “sleeper issue” in this area, which causes me great concern. The Smart Grid is still in a nascent stage, not only here in Ontario and across North America, but around the world. So now is the time to bake in privacy right from the outset. With that in mind, we are proactively working with local energy distributors, and government officials, to ensure that privacy is top of mind as we move toward the Smart Grid. It is the ideal time to proactively build in privacy – by design. 

2 Comments | Airport Security, Cloud Computing, Ontario's Information and Privacy Commissioner, Personal Information, Privacy, Security | Tagged: , , , , , | Permalink
Posted by Brian Bowman

Businesses should learn from 2010 Olympics surveillance camera debate

February 16, 2010

The 2010 Olympics are finally here! So too are the reportedly pervasive crowd surveillance cameras that are monitoring spectators’ every move.

Privacy advocates are already voicing concern.  But unlike previous public debates regarding privacy and surveillance cameras, I expect that the concerns that’ll be raised during and after the 2010 Olympics will be more comprehensive than the traditional “privacy vs security” debate. For instance,  Jennifer Stoddart, Canada’s Privacy Commissioner, recently commented on this blog that “one of the big issues will revolve around the pervasive crowd surveillance measures, and what will happen with all of the cameras and recordings after the flame is extinguished.”

Of course, there are legal tests that governments (and businesses) should use to determine the appropriateness of installing surveillance cameras in the first place. But once any organization has decided to install surveillance cameras there’s a corresponding requirement to appropriately manage the data that’s collected. For instance, organizations must ensure that they have security, retention and destruction policies in place. This is the “devil in the detail” that’s often overlooked.

I expect public scrutiny of the surveillance cameras being used during the 2010 Olympics. And such scrutiny will increase public expectations on businesses to properly manage data that they too collect by surveillance cameras.

2 Comments | Monitoring, Privacy, Privacy Commissioner of Canada, Safeguarding, Security, Technology, Video Surveillance | Tagged: , , , , , | Permalink
Posted by Brian Bowman

A Conversation with Frank Work, Alberta’s Information and Privacy Commissioner

February 3, 2010

Continuing a series of blog posts that I’m calling “A Conversation with…” (the first being A Conversation with Jennifer Stoddart, Privacy Commissioner of Canada), I’m delighted to post the following conversation with Frank Work.

Commissioner Work is as personable as he is professional. I’ve had the pleasure to speak at privacy conferences with Commissioner Work and let’s just say that I’m glad I presented first!  As privacy professionals will know, he’s a plain spoken, intelligent speaker and so his sessions are always a “must attend”.

Thanks to Commissioner Work for agreeing to engage in this online Q & A conversation.  If you’d like to learn more about Frank Work, the Office of the Information and Privacy Commissioner of Alberta (the “Alberta OIPC”) or the issues raised in this conversation, I’d encourage you to visit the Alberta OIPC’s website.

Q.  Your office has investigated identity theft arising from crystal meth abuse. What’s the link between the two?

A.  A couple of years ago the Edmonton police raided a hang out for meth users.  They found a lot of papers from businesses in the area, which they gave to us.  Cell phone contracts, credit bureau checks, credit card information and so on.  The police told me that meth users, unlike some other substance abusers, are pretty alert when they are high.  They don’t sleep.  They have lots of time to do the kind of detailed work necessary to engineer credit card fraud and identity theft.

Q.  So what can the public do to protect itself from that kind of identity theft?

A.  Individuals should shred bank and credit card statements.  They shouldn’t carry certain ID, like birth certificates, on them. These kinds of foundation documents are very useful for identity theft.  Always report lost or stolen credit cards, but also lost or stolen driver’s licences, birth certificates, and passports.  Check your bank and credit card statements to make sure someone else isn’t using them.  Do a credit bureau reference on yourself maybe once a year.  If your score is lower than you think, find out why.  If your score changes from one year to the next, find out why. Sometimes it can be identity theft (someone using your good name). Sometimes it can be an error on the part of the credit bureau.

The other side of the problem is organizations that have peoples’ info.  They must take proper care of it.  As I said, we have been given credit reports, draft mortgages, cell phone contracts, purchase of goods contracts and bookkeepers files, all thrown away.  These papers all have potential for fraudulent use.  Businesses need to shred this stuff.  Furthermore, for businesses that have customer databases, how well secured is it?  Who on their staff has access to it?  We have had cases where someone in the business is taking the info and using or selling it for fraud and identity theft.

Q.  Alberta’s private sector privacy legislation was recently amended to include mandatory breach notification. How will this impact privacy regulation in, and outside of, Alberta?

A.  It is early days yet.  Hopefully it will make organizations extra careful with personal information.  Will that raise the bar for organizations in other provinces?  Maybe.  If you are going to change your practices here, you might as well change them everywhere.  Possibly more provinces will legislate.  A big piece of the picture will be when the Federal government amends PIPEDA in this regard.  Maybe this will increase pressure to do so.  It will be a challenge to figure out what “a real risk of significant harm” is.  It will be a challenge to figure out in which cases there should be notice given and what kind of notice.

Q.  You’ve worked as a lawyer in different countries around the world. How does Canada’s approach to privacy compare to your experience in other places?

A.  We aren’t perfect but we are way ahead of most other jurisdictions.  The “commissioner” system of enforcement has served us well because we do not have the kind of well funded civil society organizations which can advocate for privacy.  Commissioners can and do advocate.  I mean, I would love to have an ACLU, or and EPIC or an EFF in Canada.  Our civil liberties people, like FIPA in BC do great work with the resources they have but resources are scarce.  We need some rich people to endow some of these groups.  The other thing is that I think, relative to other societies, Canadians have a disposition towards privacy.  We get it to some extent.  I like to think it is because we are, yes, polite, and respectful of other people.  That makes us respect each other’s space.  We must not lose that as the world becomes one big facebook/google culture.  Teach your children well.

Q.  Looking forward, what kind of privacy developments should we watch for in 2010?

A.  Cyber attacks, hacks and other losses will continue.  Governments will continue to bring surveillance technologies to bear every time anything bad happens. I will continue to get judicially reviewed.  I would like to think people will start resisting surveillance and other intrusions into their lives but I don’t see it happening.  Governments like surveillance.  Heck, the public likes surveillance because we are just so bad at risk assessment.  We are scared of everything it seems and we want someone to keep an eye on everything for us.  It will be interesting to see if technology begins to fail us.  For example, what if there is another airplane bombing attempt and the technology doesn’t prevent it?  They bring in new technology.  And that doesn’t prevent the next one (God forbid).  Maybe they run out of technology, although, for the money involved I don’t see that happening.  Someone will come up with a new toy.  Will someone ever say “this technology isn’t doing what we want it to and it is costing us a bundle?”  I think that will be a social shock.

4 Comments | Airport Security, Identity Theft, PIPA, PIPEDA, Personal Information, Privacy, Privacy Breach, Privacy Commissioner, Security | Tagged: , , , , , , , | Permalink
Posted by Brian Bowman

A Conversation with Jennifer Stoddart, Privacy Commissioner of Canada

January 25, 2010

I’m very pleased to be able to post the following conversation with Jennifer Stoddart

Since becoming Canada’s Privacy Commissioner in 2003, Commissioner Stoddart has undoubtedly raised the value of privacy in a time when security, trade, technology and consumer expectations have created a volatile atmosphere for our personal information. I might add that she has accomplished this admirable feat with passion and professionalism.  As a result, Canadians have been exceptionally well-served.

Of course, I’d like to thank Commissioner Stoddart for agreeing to engage in this online Q & A conversation.  If you’d like to learn more about Jennifer Stoddart, the Office of the Privacy Commissioner of Canada (the “OPC”) or the issues raised in this conversation, I’d encourage you to visit the OPC’s website and blog.

Q. How did you get involved in the world of privacy?

A. Back in the spring of 2000, I happened to read an article in the New York Times Magazine by the noted American legal scholar Jeffrey Rosen. Prof. Rosen was explaining how personal privacy was being subtly eroded in the digital age. I was fascinated.

I was working at the Quebec Human Rights Commission at the time. The next week, I was asked to head up Quebec’s Access to Information and Privacy Commission, and that’s the field I’ve been in ever since.

Q. But it’s coming to an end.

A. Sadly. My seven-year term as Privacy Commissioner will wind up this year. On the plus side, though, I can look back with considerable pride at the progress we’ve made. The encroachments on privacy in this digital era really are staggering, but that doesn’t mean we’re letting them bowl us over.

Last year’s investigation into a complaint against Facebook was surely the most high-profile example of the kind of influence we have. And beyond that I would say that we’re making a meaningful difference, in countless other ways, every day of the year.

Q. What are the most rewarding aspects of being the Privacy Commissioner of Canada?

A. Certainly one of the most rewarding things for me is to know that our work matters, that it has a real and positive impact on the lives of Canadians.

As you know, it’s become fashionable in some circles to suggest that privacy is pretty much dead in this era of digital exhibitionism. But I think that’s totally wrong. And the best evidence for that was the worldwide response to our Facebook investigation.

Privacy may look different today than it did a generation – or even a decade – ago. But it remains an incredibly important and cherished value to Canadians. And to the extent that my Office can help protect that value, and advance privacy rights, I would say that is the most rewarding aspect of my job.

Q. What do you consider to be the greatest challenges for the Office of the Privacy Commissioner of Canada?

A. Our biggest challenges are the same that preoccupy data-protection authorities around the world: How to safeguard privacy rights in the face of so many rapidly changing technologies. You yourself have blogged about many of them – cloud computing, behavioural marketing, genetic technologies, to name just a few.

We’re seeing unimaginable quantities of data flash around the world, including to countries where data-protection laws are slim to non-existent. We’re also seeing technologies employed in the service of national security and law enforcement, but they’re guarded behind a wall of secrecy.

So the challenges are real, and they are huge.

Q. So how does an Office like yours keep up?

A. I guess the short answer is: By working smarter. We have zeroed in on four priority privacy challenges that are shaping and streamlining our work for the years ahead: information technology, genetic technology, national security and the protection of identity integrity.

We are re-engineering our internal processes to better handle the complaints and inquiries that come to our Office. We’re picking and choosing our privacy audits and our communications and public outreach efforts in order to maximize our impact. We’re ramping up our issuance of guidance, on the theory that an ounce of prevention outweighs a pound of cure. And we’re working with the global data-protection community, since so many of the challenges are international in scope.

But, most important of all, we’ve recently attracted an infusion of very bright, very knowledgeable – and in many cases young – new employees to key positions in our Office. They are really making a difference.

Q. If you could make a few recommendations for Canadian business leaders, what would you say?

A. First I’d thank them for having embraced PIPEDA, the Personal Information Protection and Electronic Documents Act as it came into force over the past nine years. When I look at the situation of our neighbours to the south, where there is no single law at the federal level to protect the personal information of consumers in a commercial setting, I am deeply gratified by the way things can work up here.

Beyond that, I would encourage business leaders to continue to consult the guidelines we issue on specific topics for the purpose of clarifying the responsibilities of organizations under PIPEDA. And we invite them to work with us to fill any other information gaps they may have encountered.

I also want to take this opportunity to mention that data breach notification will become mandatory – and I suspect that will happen sooner rather than later. So I would encourage business leaders to start giving some thought now to how they can bring their processes into compliance. 

Q. Do you have any “privacy-related” predictions for 2010?

A. I don’t think you need a crystal ball to conclude that national security will continue to dominate the privacy landscape in the year ahead. The controversy that erupted over Transport Canada’s deployment of millimetre-wave scanners at Canadian airports was just the first of the privacy-related issues that we can expect to be hearing about in 2010.

And stay tuned for more during and after the Vancouver Olympics. There, one of the big issues will revolve around the pervasive crowd surveillance measures, and what will happen with all the cameras and recordings after the flame is extinguished.

I’ll just mention two other issues of particular interest to our Office, because we will be consulting Canadians on them in the next few months. The first will focus on the tracking, profiling and targeting of consumers by marketers and other businesses, and we’ll be hosting consultation forums on that topic in Toronto in April and Montreal in May. Soon after, we’ll organize another forum to discuss the privacy implications of cloud computing.

9 Comments | Airport Security, Government, PIPEDA, Personal Information, Privacy, Privacy Breach, Privacy Commissioner, Privacy Commissioner of Canada, Security | Tagged: , , , , , , , | Permalink
Posted by Brian Bowman

On the lighter side… RMR: A Message From Transport Canada

January 20, 2010

There sure has been quite a bit of chatter amongst privacy professionals about the virtual strip search scanners being installed in Canadian airports. My last post addressed the substantive privacy issues. But on the lighter side, CBC’s Rick Mercer has had some fun with the issue in this supposed “Message from Transport Canada”.  Check it out if you need a good laugh.

Leave a Comment » | Privacy, Security, You Tube | Tagged: , , | Permalink
Posted by Brian Bowman

Privacy folks crying wolf on scanners

January 7, 2010

Will the virtual strip-search scanners soon to be operational in Winnipeg’s Richardson International Airport be an invasion of privacy? Absolutely. Should they be installed despite privacy concerns? Absolutely.

Read more>>

You may note that the above link takes you to the Winnipeg Sun.  I’m delighted to have been asked by Sun Media Corp. to provide Comment columns like today’s on a monthly basis.  I hope you find them of interest!

1 Comment | Airport Security, Personal Information, Privacy, Privacy Commissioner, Security | Tagged: , , , | Permalink
Posted by Brian Bowman

58% of employees prepared to illegally download company/competitive data

November 28, 2009

According to a Cyber-Ark survey entitled “The Global Recession and its effect on Work Ethics” (link below), 58% of U.S. employees surveyed said that if they thought their job was at risk they would, as a pre-emptive move, be prepared to download company/competitive data. Fifty two per cent (52%) said that if they were fired tomorrow they’d take their employer’s customer and contacts data.

More disturbingly, 51% said it’s “easy” to take sensitive information out of their company and, as reported by Out-Law.com, 85% were aware that it’s illegal to download corporate information.  The favoured medium for stealing corporate information is a USB memory stick followed by e-mail. 

As I’ve mentioned in previous posts rogue employees pose a risk to privacy compliance and, as a result, corporate information requires safekeeping.  In today’s economy, information is the most valuable corporate asset.  For this reason, businesses of all sizes should take proactive steps to protect corporate data.  Whether it’s customer or supplier lists, intellectual property or employee personal information, it’s information that needs safekeeping, especially when we see statistics like those reported above.

The Global Recession and its effect on Work Ethics

Leave a Comment » | Data Protection, Due Diligence, Mobile devices, Privacy, Safeguarding, Safekeeping | Tagged: , , , , , | Permalink
Posted by Brian Bowman

Rogue employees pose risk to privacy compliance, corporate info

November 18, 2009

The U.K.’s Huffington Post is reporting that a rogue employee of a major mobile phone company has illegally sold millions of customer records to rival companies.  Apparently, customers’ personal information (including contract expiry dates) was sold to several rivals, which then used the material to cold-call customers to offer them an alternative deal.

As I’ve previously written, information really is the most valuable corporate asset. And for this reason, businesses of all sizes should take steps to protect corporate information regardless of whether it is stored online or off-line. Whether it’s customer or supplier lists, intellectual property or employees’ personal information, it’s information that needs safekeeping. 

This case should serve as a reminder that corporate safekeeping practices must include protecting data from rogue employees.

3 Comments | Data Protection, Due Diligence, PIPA, PIPEDA, Personal Information, Privacy, Privacy Breach, Safeguarding, Safekeeping, Security | Tagged: , , , , , , , , , , | Permalink
Posted by Brian Bowman

“Naked” airport scanners get green light

November 3, 2009

FlasherDon’t let anyone tell you that something can’t be done because of privacy laws. For example, how many times have you heard someone say, “privacy laws handcuff the ability of law enforcement to protect Canadians” or “businesses can’t compete because of heavy-handed privacy laws”?  Yes, in very limited circumstances privacy laws can restrict certain activities.  But, these cases are few and far between.  In many more circumstances, privacy considerations simply need to be built into the design of a product or service. 

Case in point is the recent coverage that Assistant Privacy Commissioner of Canada, Chantal Bernier, has approved the use of airport scanners that can see through your clothes.  Who would have thought that the Office of the Privacy Commissioner of Canada would ever approve what have been refered to as “naked” airport scanners?  But if you look at the manner in which the scanners will apparently be rolled out, there appears to be a balance between security and privacy considerations.  As I’ve previously posted, “Privacy by Design” can help those with a “can-do” attitude. 

Regardless of whether I agree that the “naked” airport scanners are lawful (and regardless of whether I’ll choose to walk through one of these scanners myself), it’s great to see an attempt at “Privacy by Design” in action. To be honest, however, my greatest concern is for the poor airport security professionals who may one day have to look at my less than stellar outline.  I’m not sure how much they get paid, but it’s probably not enough!

Leave a Comment » | Privacy, Privacy Commissioner, Security | Tagged: , , , , | Permalink
Posted by Brian Bowman

Privacy vs. security in the Internet age

October 19, 2009

Access to information 10The Federal Government’s recent initiative to modernize law enforcement related legislation for the Internet age has (at least within law enforcement and privacy circles) once again propelled the issue of privacy vs. security to the forefront. The issues are incredibly important for Canadians, yet there has been little debate within the wider public. That being said, I’m pleased to read Ian MacLeod’s recent Ottawa Citizen article, which (even if you don’t agree with some of the points) does a good job of raising the issues in plain language. For a more technical analysis of the legal issues, you may want to read fellow blogger David Fraser’s post regarding the debate about warrantless access to ISP customer information.

The debate surrounding the “lawful access” legislation stems from real challenges affecting Canada’s law enforcement agencies and their need for access to personal information in the course of investigations. What is concerning, however, is the prospect of warrantless searches without judicial oversight. As a citizen in a free and democratic society, it troubles me to see any legislative initiative that could lead to investigations without appropriate checks and balances.  Privacy and security don’t need to be mutually exclusive. Let’s hope that through the upcoming Parliamentary Hearings on the “lawful access” legislation we see a balance emerge between privacy and security in such a way that empowers law enforcement agencies while preserving the judicial oversight that Canadians have come to rightfully expect in our society.

Leave a Comment » | Access to Information, Internet, Lawful Access, Online Reputation Management, Personal Information, Privacy, Security | Tagged: , , , , , , | Permalink
Posted by Brian Bowman

Summer is over but “phishing” continues

October 6, 2009

Fishing 8BBC News is reporting that thousands of Hotmail accounts have been compromised in a phishing attack, which has reportedly affected at least 10,000 individuals.

Phishing involves identity thieves attempting to obtain personal information, such as user names, passwords and financial information, by pretending to be trustworthy organizations in need of such data.

Coincidentally, the Privacy Commissioner of Canada released her annual report today, which stresses the importance of making informed choices when sharing personal information online. The Privacy Commissioner reminds Canadians that there is a risk that unguarded personal information could be exploited by identity thieves. The Hotmail phishing attack, as well as the Privacy Commissioner’s annual report, should also remind businesses to remain vigilant in protecting their brands – or online reputations – from being damaged by identity thieves that use phishing attacks to exploit the well-earned trust that such businesses have built with their customers.

Leave a Comment » | Access to Information, Identity Theft, Internet, Online Reputation Management, Passwords, Personal Information, Phishing, Privacy, Safeguarding, Security | Tagged: , , , , , , , , , , , | Permalink
Posted by Brian Bowman

E-mail disclaimers: why bother?

September 21, 2009

MailPeruse through your Inbox and look at the e-mails you have received this week. No doubt there will be a few that include legal notices at the bottom of messages warning you of the confidential nature of the correspondence and stressing that if you are not the intended addressee that you are to return the e-mail to the sender… immediately!   These automatically generated e-mail disclaimers have become standard business practice.  They have become so commonplace it begs the question: are e-mail disclaimers legally enforceable?

This very question has yet to be the focus of judicial consideration in Canada, and it appears as though it remains an unresolved issue in most other jurisdictions.  Although bloggers and writers have analyzed e-mail disclaimers, there is no authoritative jurisprudence or legislation to shore up their arguments.  There are a number of issues surrounding the enforceability discussion, including, among other things:

  • the lack of consideration between parties to create binding contracts via typical e-mails;
  • the timing of e-mail disclaimers (they come at the end of e-mails, after recipients have read the messages); and
  • the otherwise lack of confidentiality associated with e-mails, which has come to light through the ever-increasing number of e-fraud cases.

That said, it is always safer to err on the side of caution.  In the event your organization were unlucky enough to be sued for the contents of an e-mail, it may prove useful to have used an e-mail disclaimer.  At the end of the day, even though the enforceability of e-mail disclaimers may not have yet been judicially considered, having an appropriately drafted e-mail disclaimer may help mitigate your businesses’ liability in the event of an unfortunate e-mail mishap.

E-mail disclaimers should be drafted with legal and business considerations in mind in such a manner that reflects the values, marketing strategy and risk tolerance of your organization. Please contact me if I can provide any assistance in drafting an e-mail disclaimer that suits your organization’s needs.

Leave a Comment » | E-mail Disclaimers, Internet, Marketing, Safeguarding, Security | Tagged: , , , , , , , | Permalink
Posted by Brian Bowman

Are the media subject to PIPEDA?

September 16, 2009

Broadcasting

Is there one set of privacy rules for regular businesses and one for the media? In a past case summary, the Office of the Privacy Commissioner of Canada (the “OPC”) found that a radio station which had broadcast the name and comments of a caller who had phoned the radio station’s news tips line to relay specific details of a robbery was not a violation of the Personal Information Protection and Electronic Documents Act (PIPEDA). Why wasn’t this a violation?

PIPEDA contains provisions aimed at protecting the media’s right to “freedom of expression”, which is a pretty fundamental right worth protecting in a free and democratic society.  Specifically, PIPEDA’s privacy obligations don’t apply to “any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose”.  When the collection of personal information is solely for journalistic purposes, journalists aren’t required to obtain the consent of individuals about whom the information relates. The result is that if a journalist’s activities are truly “journalistic” then they can proceed with the collection and broadcast of personal information without seeking permission from individuals.  Of course, it’s still a good idea to obtain consent in most circumstances despite the exemption.   

When the media collects, uses or discloses personal information for reasons that are not journalistic, serious issues arise as they would for any regular business. In the finding noted above, the OPC determined that the personal information collected by the radio station was intended soley for journalistic purposes. That’s why the OPC was of the view that there had not been any violation of PIPEDA. Any illusion that the media are not bound by PIPEDA is wrong.  But there are appropriate exemptions in the law that help them to conduct their important work.

Leave a Comment » | Media, PIPEDA, Personal Information, Privacy, Privacy Commissioner, Security | Tagged: , , , , , | Permalink
Posted by Brian Bowman

Laptop Encryption: “I don’t know what we have to do to drive this message home” says Commissioner

September 10, 2009

Laptop 11A summer incident involving sensitive personal information on stolen laptops has brought the issue of data protection once again into the crosshairs of Frank Work, the Alberta Information and Privacy Commissioner

In a press release, the Commissioner expressed shock and disappointment with the fact that the stolen laptops, which contained the personal health information of more 300,000 individuals, were not encrypted. “This is shocking for me…I don’t know what we have to do to drive this message home” said the Commissioner. “The standard in Alberta for storing personal or health information on portable devices is encryption. I can’t accept anything less.” The Alberta incident is strikingly similar to an incident that occurred in Ontario back in 2007.  The Ontario incident also involved the theft of a non-encrypted laptop containing personal health information.  A review of the incident by Ann Cavoukian, Ontario’s Information and Privacy Commissioner, produced an order for information of this type to be encrypted. 

These incidents demonstrate how easily sensitive data can be compromised when stored on laptops.  Encryption is a relatively easy way to improve the security of such information.  But, where do you start? There are numerous encryption options available.  Choices range from free open source encryption software like TrueCrypt to full information security consultations from companies that offer comprehensive data protection services like Seccuris. Regardless of which course you choose, one fact remains the same, encrypting laptops significantly improves security and that’s just smart business.

Leave a Comment » | Access to Information, Data Encryption, Data Protection, Laptops, Mobile devices, PIPEDA, PSDs, Personal Information, Privacy, Privacy Breach, Privacy Commissioner, Safeguarding, Safekeeping, Security, Security Breach, Smartphones, Technology | Tagged: , , , , , , , , , , , , , , | Permalink
Posted by Brian Bowman

The conflict between mobile devices and privacy: can’t we all just get along?

August 24, 2009

HeadacheThe sound of ringing telephones has caused migraines for millions ever since Alexander Graham Bell placed the first call to Mr. Watson in 1876. But thanks to some newly released technology, that’s about to change. Got a headache? There is, to borrow a phrase from a successful ad campaign, an app for that. Bellaire, Texas med-web company BetterQOL is rolling out iHeadache, an iPhone application that purports to “classify” and assist with diagnosing a user’s headache. iHeadache is one of many cutting edge applications available for use with smartphones. Don’t expect this trend to stop any time soon: thanks to programs like Apple’s iPhone Developer (only $99 for the standard edition), it’s becoming even easier for technology-savvy businesses to create their own apps.

Still not convinced? Consider this list of impressive apps for today’s traveler: Pocket Express, an app that acts as a mobile concierge; Stanza, an app that allows a user to load magazines and books to their smartphone; and GoodFood, which helps a user pick and locate a restaurant based on an array of dining preferences. It’s a good time to be a smartphone user, but perhaps even a better time to be an entrepreneur. Smartphones are increasingly offering businesses a direct window into the hearts, minds and, yes, wallets of potential customers.

But it’s not all good news, privacy advocates remind us. Many smartphone apps guzzle fuel like your Dad’s ’70 GTO, except they’re eating personal user information instead of gasoline. For example, your app may record your location, gender and birth year before it spits out the location of that perfect sale you’ve been looking for. A sizeable amount of personal information is in play, but, fortunately, Ontario’s Office of the Information and Privacy Commissioner (“IPC”) has been ahead of the curve with its call for “Privacy by Design“. Initially unveiled over 10 years ago, the concept of Privacy by Design combines privacy and security measures at the design specification stage of a project. Instead of waiting until privacy problems pop up to deal with them, Privacy by Design contemplates a proactive approach toward potential privacy issues. This methodology uses Privacy Enhancing Technology such as encryption to provide both maximum security and privacy protection. It is, as the IPC bills it, a “win-win” situation. Other examples of Privacy by Design include anonymous billing systems and depersonalization software.

It’s an exciting time to be a technologically-inclined entrepreneur, but the privacy consequences of smartphone apps cannot (and should not) be ignored. Any business that is considering creating or otherwise implementing an app should consider the privacy implications of doing so, preferably at the early stages of project development.

1 Comment | Internet, Marketing, Mobile devices, PIPEDA, Privacy, Privacy Commissioner, Safeguarding, Security, Smartphones, Technology | Tagged: , , , , , , , , , | Permalink
Posted by Brian Bowman

Palm Pre phone secretly used GPS to report user’s location to company: Los Angeles Times

August 17, 2009

Palm preThe Los Angeles Times is reporting that the Palm Pre phone secretly uses GPS to report users’ locations to the company.

It is an interesting story because it illustrates the importance of having clear and understandable privacy policies that customers can understand. It is also an interesting story because it (once again) demonstrates the attention that the media place on privacy matters and the potentially explosive reaction that customers can have if they feel their privacy isn’t being respected.

Leave a Comment » | Access to Information, Privacy Breach, Safeguarding, Security, Smartphones, Technology | Tagged: , , , , , , | Permalink
Posted by Brian Bowman

Who are the identity thieves?

August 4, 2009

StealHeadline after headline these days talk about the growing incidences of identity theft.  But who really are these identity thieves?  Do they work alone or for KAOS (Get Smart fans will understand this joke)?  To answer this timely question, there is a recent post on the Office of the Privacy Commissioner of Canada’s blog entitled “Who are these identity thieves?“ 

The post cites an earlier survey by the Privacy Commissioner that shows that one Canadian out of six has been the victim of some form of identity theft and that more than 90% of Canadians report that they are concerned about identity theft. The Privacy Commissioner’s post also cites a report by Benoit Dupont, the Canada Research Chair in Security, Identity and Technology at l’Université de Montréal, and his colleague Guillaume Louis, which offers an illuminating profile of identity thieves. Here are some highlights:

  • 1.7 million Canadians were affected by identity theft in 2008.
  • More than 45% of cases of identity theft involve Internet use. However, the way “offenders” use the Internet is not as significant as we might think in terms of acquiring the victim’s personal information. On the contrary, it plays a greater role in actually committing fraud.
  • “Women account for nearly 40% of offenders. We believe that this strong presence can be attributed to the absence of violence inherent to this sort of crime and the possibility of committing the crime without help from an accomplice.”
  • “Identity thieves are relatively older than other offenders; the average age is 33 years.”
  • “Offenders acted alone in the majority of cases (64.6%), which seems to contradict the theory of extensive involvement by organized crime in this type of offence.”

The Privacy Commissioner’s post also cites a 2008 report released by the McMaster eBusiness Research Centre that showed that victims spent more than 20 million hours and $150 million resolving problems associated with these crimes.  If you’d like to read more about identity theft, please click on the “Identity theft” link under this blog’s Tags.

Leave a Comment » | Identity Theft, Internet, Privacy, Privacy Breach, Privacy Commissioner, Safeguarding, Safekeeping, Security | Tagged: , , , , , | Permalink
Posted by Brian Bowman

Facebook criticized by Canada’s Privacy Commissioner: Canadian businesses can learn from high profile investigation

July 16, 2009

Academics - teachingThe Office of the Privacy Commissioner of Canada (the “OPC”) has just released an in-depth investigation report into a wide-ranging PIPEDA complaint by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) about the privacy practices of Facebook.  There is extensive domestic and international media coverage on this today including a story just posted by New York based Bloomberg News, which includes commentary by yours truly. 

While the OPC’s Facebook investigation should be a “must read” for all Facebook users, it also provides some insightful information for Canadian organizations regulated by PIPEDA. The lessons that can be learned from the investigation can be applied by Canadian businesses regardless of whether their activities are online or offline. 

Despite the fact that “[i]t’s clear that privacy issues are top of mind for Facebook…” federal Privacy Commissioner Jennifer Stoddart says that the OPC has found “serious privacy gaps in the way the site operates”. According to Stoddart, in order to comply with Canadian privacy law, Facebook must take greater responsibility for the personal information in its care.  An overarching concern of the OPC was that, although Facebook provides information about its privacy practices, it is often confusing or incomplete. For example, the “account settings” page describes how to deactivate accounts, but not how to delete them, which actually removes personal data from Facebook’s servers. The OPC recommends more transparency, to ensure that the social networking site’s nearly 12 million Canadian users have the information they need to make meaningful decisions about how widely they share personal information.

The investigation also raised significant concerns around the sharing of users’ personal information with third-party developers creating Facebook applications such as games and quizzes. (There are more than 950,000 developers in some 180 countries.) Facebook lacks adequate safeguards to effectively restrict these outside developers from accessing profile information, the investigation found. The report recommended a number of changes, including technological measures to ensure that developers can only access the user information actually required to run a specific application, and also to prevent the disclosure of personal information of any of the user’s friends who are not themselves signing up for an application.

The investigation also found that Facebook has a policy of indefinitely keeping the personal information of people who have deactivated their accounts, which is a violation of PIPEDA. The law requires organizations to retain personal information only for as long as is necessary to meet appropriate purposes. Recommendations to Facebook included the adoption of a retention policy whereby personal information in deactivated accounts is deleted after a reasonable length of time.

Click here to read the OPC’s News Release, here for the full investigation report and here to read a helpful backgrounder.  If you’d like to read more about Facebook, please click on the Facebook link under this blog’s Tags (below).

Leave a Comment » | Access to Information, Facebook, Internet, Online Reputation Management, PIPEDA, Privacy, Safekeeping, Security, Social Networking Websites | Tagged: , , , , , , , , , | Permalink
Posted by Brian Bowman

Portable Storage Devices (PSDs): Lessons learned from Australia and New Zealand

July 13, 2009

PDAs 8The Australian and New Zealand Privacy Commissioners recently released studies examining the use of Portable Storage Devices (PSDs) by their governmental agencies. The aim was to examine the risks to personal information posed by the use of PSDs.  PSDs are small, convenient devices that are capable of storing large amounts of information including laptops, cell phones, USBs, hard drives and iPods.

The studies found that government agencies often keep track of the PSDs they issue but seldom do audit checks on those devices. Policies regulating the proper usage are often developed, but rarely enforced. Hardware controls (i.e. sealing off ports and disabling cables) are used less frequently than software controls (i.e. blocking access to certain databases, monitoring access and information downloaded, etc.).

The majority of agencies (like most private sector businesses in Canada) also allow the use of private PSDs for work (i.e. a cell phone which is used for both personal and business purposes). The studies found that policies regarding the use of private PSDs were less common and much less enforceable than policies for agency-issued PSDs. Even though these studies only analyzed governmental use, the New Zealand Privacy Commissioner stated that she believed the findings were equally applicable to private sector businesses as well.

As I’ve commented in previous posts, there are privacy risks associated with the use of PSDs. First of all, there have been numerous incidents of stolen laptops and other PSDs that contained personal information. Secondly, devices such as USBs are easy to lose. Thirdly, disgruntled employees can easily use PSDs to steal personal information and other confidential corporate information from employers.  For example, an employee can simply click a button and download a company’s entire database in a matter of minutes. This is called “pod-slurping” and is especially a threat given the fact that many government agencies and private companies do not have the software capability to track when data has been downloaded to a PSD.

In order to avoid a privacy breach and resulting damage to your business, consider implementing some of the suggestions contained in a 2006 investigation by the Alberta Privacy Commissioner (which I would add should, of course, be implemented in accordance with your organization’s privacy policy and applicable law):

  1. Develop policies on proper usage of PSDs (whether company-issued or private) and train employees about these policies. Include detailed instructions about retention and deletion of personal information;
  2. Limit the amount of personal information that is stored on PSDs;
  3. Use encryption on all PSDs that store personal information. Password protection alone is not sufficient as there are free software programs available on the Internet which can crack passwords;
  4. Monitor the use of PSDs through software (i.e. install software that tracks data downloaded from a database onto a PSD);
  5. Instead of using PSDs, implement technologies that allow employees to access a database through a secure network;
  6. With respect to laptop thefts, consider installing tracking software that can trace the location of a lost laptop. Also consider installing a “kill switch” so that the computer will self-destruct if an individual tries to gain unauthorized access; and
  7. Stress to employees the need to use appropriate safeguards at all times, even when at home.

Leave a Comment » | Access to Information, PSDs, Privacy, Safekeeping, Security, Technology | Tagged: , , , , , , , | Permalink
Posted by Brian Bowman

Smartphones in the workplace: what’s your business doing to manage the risk?

July 6, 2009

Cell phonesRecently, an interesting article in the Globe and Mail dealt with the issue of smartphone etiquette. Business professionals fidgeting with their BlackBerrys and iPhones in meetings, walking through airports with eyes glued to their small glowing screens and operating their devices in restrooms may seem unrealistic at first blush, but is it really? The reality is that smartphones have permeated the business world. They are everywhere, they are powerful and have the potential to be extremely damaging.

Breaches of confidential corporate data and personal information are nothing new to the business world, but smartphones have brought a new dimension to the problem. Smartphones are starting to make appearances in Canadian court cases in a supporting role, but it won’t be long before they are squarely in the spotlight. The latest iPhone model has up to 32GB of memory while BlackBerrys can store vast amounts of data on memory cards. The equivalent of entire filing cabinets can now be carried around conveniently in your shirt pocket. This reality has increased the risk for massive privacy breaches in the blink of an eye.

The big question is how involved should employers be in regulating and monitoring their employees use of smartphones? All encompassing monitoring of employee smartphone use is a touchy area, but the permeation of smartphones in today’s corporate world and the corresponding risks to businesses necessitates (at the very least) that relevant guidelines concerning their use in the workplace should be implemented by employers. All it takes to damage a business is for one employee to misplace their smartphone without having first activated their security settings.

1 Comment | Employee Monitoring, Privacy, Privacy Breach, Security, Security Breach, Smartphones | Tagged: , , , , , , , , | Permalink
Posted by Brian Bowman

Privacy insurance: read the fineprint

June 28, 2009

Documents 2Your business has insurance for typical business risks, but will your insurance protect you from liability arising from privacy law compliance?

People are increasingly aware of their privacy rights. This heightened awareness has translated into a greater willingness to initiate costly and time-consuming privacy complaints. Thanks to laws like the Personal Information Protection and Electronic Documents Act (PIPEDA), the reality for businesses is that non-compliance with privacy laws can take a chunk out of the bottom line. Given the costs associated with failing to meet legal standards, it’s not surprising that many insurers now offer privacy insurance coverage. But what is privacy insurance, and will it actually protect your business when you need it most? The scope of coverage offered varies depending on the provider, so it’s important to read the fineprint.

Be sure to ask what the policy covers. Some policies limit privacy insurance to protection from hacker attacks. But while hackers are a serious issue for any business, your insurance plan may need to do more. Depending on your jurisdiction and the applicable privacy laws, you may want to look for protection against any costs that can be imposed by the regulatory agencies that oversee compliance with privacy legislation. Otherwise, you might find you’re on your own for your businesses’s failure to fully meet the legal requirements for personal information under your control, including obligations to respond to access to information requests, obtain consents and ensure the accuracy of personal information holdings. It’s also a good idea to evalute your existing protection. Your current business insurance may already provide you with the coverage you need. If, for example, your errors and omissions insurance already protects you against privacy breaches, purchasing additional insurance may not be necessary.

Consider what the privacy insurance plan won’t cover. Many plans don’t cover illegal or fraudulent employee conduct, and some stop short of protecting against anything beyond the unauthorized release of personal information. Court defence costs may also be excluded. Make sure you read the plan or have your lawyer go over it before you buy it.

Finally, don’t forget that the best insurance policy is to take as many proactive steps as possible to get your privacy house in order. If you’re reading this blog, chances are you already have some of these measures in place. If not, consider comprehensive privacy policies and procedures that are reviewed and updated on (at least) an annual basis by legal counsel with expertise in privacy law. Staff privacy training is another excellent proactive step. As the saying goes, the best offence is a good defence!

Leave a Comment » | PIPEDA, Privacy, Privacy Insurance, Security | Tagged: , , , , , | Permalink
Posted by Brian Bowman

One small step…

March 24, 2009

web-search-2In terms of privacy, as with many other things, each step forward seems to come with a catch that makes the step forward a little smaller than one would hope.  Google, in response to demands from privacy advocates and users, has taken a progressive step forward and created a means for users of Google to opt out of their targeted advertising by allowing a user to access Google Ad Preferences to change settings or to opt out completely.

At the same time, Google has announced plans to launch a new type of targeted advertising.  Currently, when an Internet user visits a webpage with Google Adsense, Google will store cookies on a user’s computer and remember their interests from previous searches.  The example used by Google is that if you have an interest in gardening, you may be shown gardening ads along with those related to the site you are visiting.

While Google’s addition of its Ad Preferences program is encouraging for privacy advocates, it does come in the wake of an entirely new and -according to privacy advocates – more invasive means of targeting ads at users.  As part of this new initiative, Google has asked all Google Adsense publishers to update their privacy policies to notify users of their site of the fact that interest-based advertising will be displayed.

The Privacy Commissioner once noted that although PIPEDA (and other privacy legislation) imposes obligations on organizations to take appropriate measures in protecting personal information, sometimes the more important role of privacy legislation is to help people shape their view of privacy.

By revising their privacy policies, businesses will be taking steps to comply with applicable privacy laws; but whether these steps are enough to address the expectations of their customers regarding privacy is a matter to be best considered by each business.  In the meantime, if a business using Adsense has any questions about this change or requires any assistance in updating their Privacy Policy, I would encourage you to contact me to discuss.

Leave a Comment » | Access to Information, Internet, Privacy, Security, Technology | Tagged: , , , , , , , | Permalink
Posted by Brian Bowman

Escrow as a new tool for privacy

March 23, 2009

keys-2Bell Canada recently announced that it would acquire The Source, a national electronics dealer.  Bell has indicated that it will be acquiring substantially all of the assets of The Source.

I don’t know what those assets will be, but I think it is an interesting example of the fact that even in recessions we still see acquisitions of companies.  When an organization’s assets are bought, one of the most valuable assets that are purchased is often its customer list.   

PIPEDA and other applicable privacy laws, of course, govern transactions involving personal information.   In the course of such transactions some companies are now implementing concepts once used only to secure physical assets.  For example, many organizations are choosing to employ “escrow” arrangements to ensure the security of personal information.

Most businesses now understand that the implications of violating applicable privacy laws can be very serious to the reputation and bottom line of both the vendor and purchaser.  As part of a sale of a customer list, and depending on the specific circumstances, both parties may agree that the customer list be placed in escrow until the transaction is completed.  This ensures that what is likely the most valuable asset in the transaction – the customer list – is protected from unintended disclosures prior to the actual transfer of the business.

1 Comment | Access to Information, Due Diligence, Privacy, Sale Transactions, Security | Tagged: , , , , , , , , | Permalink
Posted by Brian Bowman

Help fight cyber-terrorism

February 27, 2009

protect-secureDo you ever wish you were Jack Bauer from the TV show 24? Here’s your chance!

There are a growing number of articles that are highlighting the threat of “cyber-terrorism”.  It’s a scary topic that is surely consuming the time of government technology infrastructure professionals in the U.S. and Canada.  Some of these articles discuss the remote possibility that terrorists may perpetrate cyber-attacks against critical online government and corporate infrastructure.  Other articles discuss the very real possibility that terrorists may simply use the Internet (and the information contained online) to plan attacks in the real world. Don Cavender, a special agent and instructor with the FBI’s Computer Training Unit at Quantico, Virginia, is quoted in an excellent ZDNet article and says that “the worry right now is not so much a cyberterrorism event…but when the terrorists use the Internet to facilitate the planning of these attacks.” 

We all know that the Internet is filling up with vast amounts of data including people’s personal information, as well as corporate and government data.  The lesson that I take from all of these “cyber-terrorism” related articles is that businesses should make sure that they are working with technology professionals to secure their databases and limit the amount of personal information and corporate data available online.  Of course, there are many reasons for businesses to secure their databases and to limit what information is available online.  For example, privacy laws such as Canada’s PIPEDA regulate the safeguarding of personal information.  And, there are good business reasons to limit the availability of proprietary corporate data online.  But, if you ever wished you were Jack Bauer, then here’s your chance to fight terrorism…one corporate move at a time.

Leave a Comment » | Internet, Online Reputation Management, Safeguarding, Security, Technology | Tagged: , , , , , , , , , | Permalink
Posted by Brian Bowman

Online shopping a risky transaction

February 12, 2009

buyingOnline shopping a risky transaction: Protect yourself from identity thieves

My November 5, 2008 column in the Winnipeg Free Press provides some tips on how to be a savvy online shopper and the benefits to online retailers of  having sercure websites and comprehensive online privacy policies.

Leave a Comment » | Identity Theft, Internet, Online Reputation Management, Online Shopping, Safeguarding, Security | Tagged: , , , , , , , , | Permalink
Posted by Brian Bowman

Privacy matters to most customers

February 12, 2009

privacyPrivacy matters to most customers: Staff should be able to handle concerns

My October 1, 2008 column in the Winnipeg Free Press reports on a survey released by the Privacy Commissioner of Canada and the vital need for businesses to train their staff to identify and deal with privacy issues.  Privacy training, or lack thereof, can affect the bottom line.

Leave a Comment » | Marketing, Privacy, Safeguarding, Sale Transactions, Security | Tagged: , , , , , , , , | Permalink
Posted by Brian Bowman

Data “packrats” failing customers

February 12, 2009

challengeData “packrats” failing customers: Companies need policies on retention

My December 3, 2008 column in the Winnipeg Free Press details the problems businesses can get in to when they keep every single piece of information on their customers, even when they no longer need it.

2 Comments | Due Diligence, PIPEDA, Privacy, Safekeeping, Security | Tagged: , , , , , , , | Permalink
Posted by Brian Bowman

New push to educate on online privacy

February 11, 2009

networking-5New push to educate on online privacy: Youth can get info on important website

My July 2, 2008 column in the Winnipeg Free Press announces the Privacy Commission of Canada’s new youth privacy site, My Privacy. This is a great site for both parents and their children to view, to help youthful Internet users to be aware of the dangers of ignoring privacy settings as they’re filling out personal information on sites like Facebook and MySpace.

Leave a Comment » | Internet, Online Reputation Management, Privacy, Security, Technology, Youth | Tagged: , , , , , , , , , , , | Permalink
Posted by Brian Bowman

Guidelines aid in use of surveillance cameras

February 10, 2009

surveillanceGuidelines aid in use of surveillance cameras

My column of June 4, 2008 in the Winnipeg Free Press describes the guidelines published by the Privacy Commissioner of Canada jointly with the privacy commissioners of British Columbia and Alberta, and how businesses can use them to remain compliant with the law.

Leave a Comment » | Privacy, Security, Technology, Video Surveillance | Tagged: , , , , , , | Permalink
Posted by Brian Bowman

Businesses face challenge

February 9, 2009

ascendsBusinesses face challenge in winning people’s trust

My November 7, 2007 column in the Winnipeg Free Press discusses the Privacy Commissioner of Canada’s annual report and what it means to private sector businesses.

Leave a Comment » | Access to Information, PIPEDA, Privacy, Safeguarding, Security | Tagged: , , , , , , , | Permalink
Posted by Brian Bowman

Privacy ultimately your responsibility

February 9, 2009

pointing-3Privacy ultimately your responsibility

My October 3, 2007 column in the Winnipeg Free Press emphasizes the importance of protecting your personal information by not handing it over to strangers, among other strategies.

Leave a Comment » | Access to Information, Facebook, Privacy, Security | Tagged: , , , , , , | Permalink
Posted by Brian Bowman

Privacy is not a fad

February 9, 2009

rollerskating-2Privacy is not a fad, laws are misunderstood

My September 5, 2007 column in the Winnipeg Free Press highlights the common misconceptions surrounding privacy law, under the backdrop of the Virginia Tech tragedy.

Leave a Comment » | Privacy, Security | Tagged: , , , | Permalink
Posted by Brian Bowman

Privacy resolutions for 2008

February 9, 2009

checklistPrivacy resolutions for 2008

My January 2, 2008 column in the Winnipeg Free Press makes some suggestions for businesses to improve their privacy efforts before legislation forces them to make them.

Leave a Comment » | Access to Information, Privacy, Safeguarding, Security | Tagged: , , , , , | Permalink
Posted by Brian Bowman

Mobile devices prone to ID theft

February 6, 2009

security1Mobile devices prone to I.D. theft

My August 1, 2007 column in the Winnipeg Free Press points out the security risks inherent with mobile data holders such as USB drives, laptops and portable hard drives.

Leave a Comment » | Identity Theft, Privacy, Safeguarding, Security, Technology | Tagged: , , , , , , , | Permalink
Posted by Brian Bowman

Province failing on privacy issues

February 6, 2009

failProvince failing on privacy issues; citizens deserve better protection

My May 2, 2007 column in the Winnipeg Free Press poses a challenge to the participants in the upcoming provincial election of May 22, 2007 to follow through on promises of a Manitoba privacy commissioner.

Leave a Comment » | Access to Information, Identity Theft, Privacy, Security | Tagged: , , , , , , | Permalink
Posted by Brian Bowman

Protecting confidential information

February 6, 2009

lockTake steps to protect confidential information

My April 4, 2007 column in the Winnipeg Free Press stresses the importance of having non-disclosure agreements in place when disclosing sensitive information to other organizations.

Leave a Comment » | Intellectual Property, Privacy, Security | Tagged: , , , , , , | Permalink
Posted by Brian Bowman

Protecting IDs is good business

February 6, 2009

security2Protecting IDs is good business, and it’s the law

With March being Fraud Prevention Month, my March 7, 2007 column in the Winnipeg Free Press lists some of the procedures businesses should have in place to ensure they are compliant with privacy legislation.

Leave a Comment » | Access to Information, Identity Theft, Privacy, Security | Tagged: , , , , , , , , | Permalink
Posted by Brian Bowman

Identity theft growing rapidly

February 6, 2009

business-concepts1Identity theft growing rapidly

My February 7, 2007 column in the Winnipeg Free Press revisits identity theft with the publication of major data breaches by Winners and CIBC.

Leave a Comment » | Identity Theft, Privacy, Privacy Breach, Security, Technology | Tagged: , , , , , , | Permalink
Posted by Brian Bowman

Time to amend the Personal Information Act

February 6, 2009

watchTime to amend the Personal Information Act

My January 3, 2007 column in the Winnipeg Free Press discusses the mandatory review of PIPEDA and my recommendations on behalf of the Canadian Bar Association.

Leave a Comment » | Access to Information, PIPEDA, Privacy, Security | Tagged: , , , , , , | Permalink
Posted by Brian Bowman

Don’t expose your metadata

February 6, 2009

hanging-3Don’t expose your metadata – it might be embarrassing

My December 6, 2006 column in the Winnipeg Free Press defines metadata and why businesses need to know how to eliminate it.

Leave a Comment » | Metadata, Safeguarding, Security | Tagged: , , , | Permalink
Posted by Brian Bowman

Buying or selling a business

February 6, 2009

agreementsBuying or selling a business requires due diligence

My June 7, 2006 column in the Winnipeg Free Press considers PIPEDA Case Summary #325, which sets out the rules regarding sharing customer lists of businesses being considered for sale.

Leave a Comment » | Due Diligence, PIPEDA, Privacy, Security | Tagged: , , , , , , , | Permalink
Posted by Brian Bowman

Privacy protection should be at top of resolutions

February 5, 2009

list-2Privacy protection should be at top of resolutions: develop policies, procedures in a customer-friendly way

My January 4, 2006 column for the Winnipeg Free Press suggests three cutting edge new year’s resolutions for corporate success.

Leave a Comment » | Identity Theft, PIPEDA, Privacy, Security, Technology | Tagged: , , , , , , , | Permalink
Posted by Brian Bowman

NDP should support privacy bill

February 5, 2009

documentsNDP should support privacy bill or say why not

My March 1, 2006 column in the Winnipeg Free Press discusses a private member’s bill,  Bill 207, The Personal Information Protection and Identity Theft Prevention Act and why the NDP government should support it.

1 Comment | Identity Theft, Privacy, Security | Tagged: , , , | Permalink
Posted by Brian Bowman

Outsourcing comes with risks

February 5, 2009

united-statesOutsourcing comes with risks; U.S. service providers bring privacy concerns

My April 5, 2006 column in the Winnipeg Free Press reports on the implication of Canadian businesses using American companies to store Canadian personal information.

Leave a Comment » | Privacy, Safekeeping, Security | Tagged: , , , , , , | Permalink
Posted by Brian Bowman

Privacy still on Canadians radar screen

February 5, 2009

on-screenPrivacy still on Canadians radar screen: poll

My August 2, 2006 column in the Winnipeg Free Press reports on a poll commissioned by the Privacy Commissioner of Canada to gauge how familiar Canadians are with their rights under PIPEDA.

Leave a Comment » | Online Reputation Management, Privacy, Security | Tagged: , , , , | Permalink
Posted by Brian Bowman

Information requires safekeeping

February 5, 2009

workInformation requires safekeeping

In today’s economy, information is the most valuable corporate asset. And for this reason, businesses of all sizes should take steps to protect corporate information regardless of whether it is stored online or off-line. Whether it’s customer or supplier lists, intellectual property or employees’ personal information, it’s information that needs safekeeping. My September 6, 2006 column for the Winnipeg Free Press discusses the importance of protecting corporate information.

2 Comments | Access to Information, Privacy, Safekeeping, Security, Security Breach | Tagged: , , , , , , , | Permalink
Posted by Brian Bowman

Taking your laptop to the U.S.? Maybe not

October 2, 2008

travels-42Last July, U.S. Customs and Border Protection publicly issued their Policy on Border Search of Information. You’re probably aware that customs agents can search your laptop for information on your potential terrorist activities, but did you know it extends to your cellphone, PDA and even your iPod or MP3 player?

The Washington Post online has an article explaining the policy (Travelers’ Laptops May be Detained at Border) as does Law Times (New U.S. Policy a matter of considerable concern). The Canadian Bar Association’s Practice Link gives some good suggestions for How to Secure your Laptop Before Crossing the Border.

Leave a Comment » | Attorney-Client Privilege, Security, Technology, Travel | Tagged: , , , , | Permalink
Posted by Brian Bowman