I recently discussed Bill C-30 (lawful access) with host Jeremy John on CityTV’s Breakfast Television Winnipeg. Click here to watch the discussion about this controversial online surveillance Bill.
There sure has been quite a bit of chatter amongst privacy professionals about the virtual strip search scanners being installed in Canadian airports. My last post addressed the substantive privacy issues. But on the lighter side, CBC’s Rick Mercer has had some fun with the issue in this supposed “Message from Transport Canada”. Check it out if you need a good laugh.
The Office of the Privacy Commissioner of Canada (OPC) has published some useful Guidelines for Processing Personal Data Across Borders to explain how the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to transfers of personal information to third parties, including third parties operating outside of Canada, for processing.
As the OPC points out, PIPEDA does not prohibit organizations in Canada from transferring personal information to organizations in other jurisdictions for processing, but Canadian organizations are still accountable and the OPC can investigate complaints and audit privacy practices of Canadian organizations.
PIPEDA provides that
an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
The primary means by which an organization can protect personal information that it transfers to a third party for processing is through a contract. Organizations must also be transparent about their privacy practices, including advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction, it may be accessed by the courts, law enforcement and national security authorities.
Check out the OPC’s Guidelines, and if your business hasn’t yet signed privacy contracts with all third parties to whom you transfer or disclose personal information, now may be the time.
There are a growing number of articles that are highlighting the threat of “cyber-terrorism”. It’s a scary topic that is surely consuming the time of government technology infrastructure professionals in the U.S. and Canada. Some of these articles discuss the remote possibility that terrorists may perpetrate cyber-attacks against critical online government and corporate infrastructure. Other articles discuss the very real possibility that terrorists may simply use the Internet (and the information contained online) to plan attacks in the real world. Don Cavender, a special agent and instructor with the FBI’s Computer Training Unit at Quantico, Virginia, is quoted in an excellent ZDNet article and says that “the worry right now is not so much a cyberterrorism event…but when the terrorists use the Internet to facilitate the planning of these attacks.”
We all know that the Internet is filling up with vast amounts of data including people’s personal information, as well as corporate and government data. The lesson that I take from all of these “cyber-terrorism” related articles is that businesses should make sure that they are working with technology professionals to secure their databases and limit the amount of personal information and corporate data available online. Of course, there are many reasons for businesses to secure their databases and to limit what information is available online. For example, privacy laws such as Canada’s PIPEDA regulate the safeguarding of personal information. And, there are good business reasons to limit the availability of proprietary corporate data online. But, if you ever wished you were Jack Bauer, then here’s your chance to fight terrorism…one corporate move at a time.
My September 3, 2008 column in the Winnipeg Free Press reports on the findings of the Privacy Commissioner of Canada regarding canada.com’s outsourcing to a U.S. based service provider. The finding highlights the complexities of Canadian and U.S. laws as they relate to the personal information of customers and reminds Canadian businesses of the need to have legal agreements with third party service providers, especially those located in the U.S.
My April 5, 2006 column in the Winnipeg Free Press reports on the implication of Canadian businesses using American companies to store Canadian personal information.