This week, like some of you, I travelled to the U.S. for the IAPP Global Privacy Summit. As usual, it’s a great conference so far, and now that it is almost over, I’m looking toward the next big event: the IAPP Canada Symposium. The programming for our event is fantastic, and, if this sold-out Summit is any indication of the growth our profession is experiencing, I’m looking forward to a similarly popular Symposium, buzzing with energy and enthusiasm.
This week at the Summit, I’ve been struck by the number of sessions dealing with data breach. I attended one yesterday—Data Breach Outside of the United States: What You Need To Know—and the room was jam-packed. Then, during the breaks, I strolled through the Exhibitor Hall, and again I noticed the large number of vendors present that want your business when you experience a breach.
I suppose I, too, am one of those people (when I’m not wearing my IAPP hat) so I had better be careful what I say about those who make a living from someone else’s bad fortune! In some cases, breaches are inevitable, and if we can learn something about them and improve organizations’ privacy practices as a result, we’re heading in the right direction. What is clear is that if it’s not government surveillance, it’s the data breach phenomenon that is dominating the discussion. It’s no surprise, then, that what you’ll see in this week’s news is a number of data breach stories that were, once again, generating headlines.
Also in the news is an article about Ontario Information and Privacy Commissioner Ann Cavoukian expressing her thoughts on the future of privacy protection and, in particular, how emphasis needs to be placed on the principle of accountability. This story dovetailed nicely with another session at the Summit in which the future of the Fair Information Principles was hashed out. This particular topic offers a refreshing twist on the nuts-and-bolt discussions about data breaches. After all, while data breaches clearly expose a weakness in a data security program, it is the obligation to respond to that breach that pushes the accountability envelope.
All in all, very good discussions and lots of news this week. One great conference will be coming to an end, and another will be just over the horizon. On that front, if there’s anything in particular you’re hoping to see at this year’s Symposium, let me know so we can continue to give you the programming you’re looking for.
Top Canadian Privacy News
Commissioner Will Appeal Court’s Decision (January 29, 2010)
Alberta's highest court ruled this week that the Information and Privacy Commissioner may no longer extend the 90-day term for privacy investigations unless he can justify the need for an extension on a case-by-case basis, the Edmonton Journal
reports. "The time rules intend to promote inquiry efficiency and the expeditious resolution of privacy claims," the Court of Appeal wrote in its decision. The case stems from the prolonged investigation of an Alberta Teacher's Association privacy complaint. Commissioner Frank Work said the decision will undermine the work of the commission and that he will appeal to the Supreme Court of Canada.
Complaint Alleges FIPPA Violation (January 29, 2010)
A staffer with Manitoba's opposition Progressive Conservatives (PC) has filed a privacy complaint with the provincial ombudsman, reports the Winnipeg Free Press
. She charges that the NDP's finance ministry disclosed to the media a letter related to charges of an improper relationship between the government and Manitoba Hydro. The letter was distributed to the media without the permission of the recipient, allegedly in violation of Manitoba's Freedom of Information and Protection of Privacy Act (FIPPA). "It's clearly illegal," said PC leader Hugh McFadyen. "It wasn't the NDP's right to make that decision to release it publicly."
Privacy Commissioners Focus on Tools to Keep Private Info Private (January 29, 2010)
Privacy commissioners used the forum provided by Data Privacy Day yesterday to focus on ways to protect personal information transmitted from computer to computer, the Edmonton Sun
reports. On a panel with BC Privacy Commissioner David Loukidelis and Saskatchewan Privacy Commissioner Gary Dickson, Alberta privacy boss Frank Work spoke about new laws coming this spring requiring companies to report breaches and holding them responsible for data losses or thefts by overseas cloud computing contractors. Dickson, meanwhile, warned of "the twin Cs" of data loss: "carelessness and curiosity." Separately, Ontario Privacy Commissioner Ann Cavoukian described Privacy by Design
, explaining that "embedding privacy into technology in a proactive way...is preventing privacy abuses beforehand. Privacy as a default is going to be the strongest protection you can have."
Gun Registry Privacy Complaint is Shot Down (January 29, 2010)
Privacy Commissioner Jennifer Stoddart has determined the RCMP did not violate the privacy rights of gun owners when it released their names, phones numbers and firearm information to a private company conducting a survey about Canada's gun registry, the Windsor Star
reports. In dismissing the complaint filed by former public safety minister Peter Van Loan last September, Stoddart notes the survey company was acting as a government contractor, was properly screened and deleted all raw data after delivering the survey to the RCMP. A spokesman for current Public Safety Commissioner Vic Toews, however, is quoted as saying the office "maintains that the use of long-gun owners' personal information was intrusive and inappropriate."
Critics Question Delay in Naming Info Commissioner (January 29, 2010)
The Federal Information Commissioner post has lacked a permanent leader since last June, and critics are calling the delay an example of the government's practice of limiting public access to information, the Toronto Sun
reports. One expert in the field is quoted as calling the government's delay in naming a permanent commissioner "disturbing." The information commissioner, who is appointed for a term of seven years and can only be removed by an order of Parliament, is responsible for reviewing complaints under the Access to Information Act. Suzanne Legault has been serving as interim commissioner since the end of June, and was recently appointed to serve until a permanent appointment is made.
Commissioner Cautions Against Carelessness (January 29, 2010)
Saskatchewan Information and Privacy Commissioner Gary Dickson is using a breach of psychiatric records to make a point about data protection. The Leader Post
reports that a Weyburn woman recently received the confidential details of a Regional Psychiatric Centre inmate via e-mail. The federal privacy commissioner has opened an investigation. Dickson, whose office is investigating 376 privacy violations at present, is reminding provincial businesses that simple, low-tech solutions can help prevent such incidents, citing one in use by a mental health clinic in northern Saskatchewan. His office has released guidelines
intended to help entities prevent data breaches.
Define Free. (January 29, 2010)
Never make the mistake of underestimating "the amount of your personal information that's circulating around," Privacy Commissioner Jennifer Stoddart tells George Stroumboulopoulos during an appearance on The Hour
. Stoddart discusses key privacy issues including social networking, street-level mapping and full-body airport scanners, and while she allays some privacy fears related to the scanners, she shares concerns about other ways personal information can be accessed. Stoddart cautions that all those free memberships and other offers found online probably share personal information without informed consent. If you want to know what personal information is out there, she suggests, "Google yourself twice a day."
Survey Says Canadians Question Online Safety (January 29, 2010)
Canadians responding to a recent survey are concerned about how their personal information is being accessed online, itbusiness.ca
reports. The "RSA 2010 Global Online Consumer Security Survey" indicates that 97 percent of Canadians are aware of potential risks such as phishing, and that 76 percent of those responding are concerned about their information being accessed at banking sites. The responses also indicate that 71 percent have concerns about social networking sites, while 64 percent worry about their privacy when using government sites and 53 percent question the safety of their personal information when using healthcare portals. The majority of those responding asked for stronger security features at all sites.
Grant Funding Available to Support Privacy Research (January 29, 2010)
Up to $500,000 in federal funding is being made available for research and public awareness initiatives related to privacy by the Office of the Privacy Commissioner of Canada (OPC). The funding comes as an extension of the OPC's Contributions Program, which supports nonprofit research on privacy. The OPC hopes to receive grant applications from researchers examining the impact of information technologies on privacy from either a scientific or technical point of view. The OPC is also encouraging individuals and organizations to submit proposals to conduct research in one of the three areas: identity integrity and protection, genetic privacy or national security. The deadline for applications is February 26.
Company Plans Release of Anonymous Browsing Tool (January 28, 2010)
Ixquick, the company that earned the respect of privacy advocates when it decided in 2006 to stop collecting IP data from users of its search tool, is again drawing praise for its planned release of a new proxy browsing service that the company says will allow users to visit Web pages without the site owner's knowledge, OUT-LAW.COM
reports. The company said it decided to offer the service because of what it saw as an opportunity to respond to increased consumer concern over their privacy while surfing the Web. "People are more concerned about online data retention policies than ever before," said CEO Robert Beens. "We wanted to offer them a useful tool and this proxy is a logical extension of our services."
Toronto Teacher Data Exposed by Laptop Theft (January 28, 2010)
More than 8,000 Toronto District School Board teachers have had their personally identifiable information exposed as a result of the theft of a laptop computer. CBC
reports that the computer was stolen from the Waterloo offices of the Ontario Teachers Insurance Plan in what has been described as a "routine smash and grab" burglary. It is not known if the sensitive data has been accessed, but Ontario Assistant Privacy Commissioner Ken Anderson warns that some identity theft rings have become involved in the theft or trafficking of laptop computers specifically for the information they contain.
Privacy Commissioner Launches New Facebook Probe (January 28, 2010)
The Office of the Privacy Commissioner (OPC) has announced it is once again launching an investigation
into Facebook. The probe comes on the heels of the OPC's extensive investigation last summer that resulted in Privacy Commissioner Jennifer Stoddart ordering Facebook to change its policies and practices to comply with Canada's privacy law, the National Post
reports. The new investigation is focused on a complaint alleging a tool introduced last month requiring users to review their privacy settings--a change Facebook made in response to the commissioner's first investigation--actually exposes more personal information. The new complaint "mirrors some of the concerns that our office has heard and expressed to Facebook in recent months," says Assistant Privacy Commissioner Elizabeth Denham.
Trading Privacy for Ego (January 27, 2010)
On the TechTalk
blog at CBS.com
, author Daniel Sieberg offers commentary on the attraction of seeking instant feedback and approval through the Internet's broad reach, describing the process as trading privacy for ego. "Privacy is not the same thing as secrecy," Sieberg suggests, noting that in spite of an individual's propensity to share certain information behind the guise of an avatar, most people still withhold sensitive personal details of their lives. Even so, there's a subtle allure to social networking and, over time, individuals may become less and less cautious about what they share, a phenomenon that led Facebook founder Mark Zuckerberg to call this trend toward increasing openness the new "social norm."
Canadians Question Online Privacy Protection (January 26, 2010)
A government-sponsored survey indicates that only six percent of Canadians trust social networking sites to protect their personal information, the National Post
reports. Avner Levin, director of the Privacy and Cyber Crime Institute at Ryerson University, notes that many people have concerns about their personal information, "but it doesn't translate into some kind of action, like, I'm going to stop using this particular Web site or this online service." The survey of 2,200 Canadians found that 74 percent believe the government should regulate how street-level images of residences are used on the Internet. While fewer than 20 percent believe businesses will protect their personal information, results were somewhat better for medical institutions and government agencies at 58 percent and 46 percent, respectively.
Sharing “TMI” on Social Media Sites Helps ID Thieves (January 26, 2010)
A recent study indicates that more than half of those ages 45 and older who use popular social networking sites could fall prey to identity thieves because they share too much information, the San Francisco Chronicle
reports. The study, which polled more than 1,000 adults, found that 14 percent of respondents--and 20 percent of those over the age of 60--posted their full home addresses in their profiles, and about 50 percent revealed information that could tip thieves off to their bank account passwords. Experian, which commissioned the study, recommended avoiding posting specific personal details and being sure that online quizzes or games come from a reputable source.
BC Names Interim Privacy Chief (January 26, 2010)
Six days after former Information and Privacy Commissioner David Loukidelis resigned to accept another post within the British Columbian government, the province has named an interim commissioner, the Globe and Mail
reports. Paul Fraser, former conflict of interest commissioner, will assume the privacy commissioner role until a permanent replacement is appointed when the legislature reconvenes in the spring. The six-day delay in replacing Loukidelis had prompted some to suggest that the government does not take privacy seriously enough, but BC House Speaker Bill Barisoff said the delay was not excessive in order to accommodate the right choice of replacement.
IAPP Announces New Board Members (January 22, 2010)
The International Association of Privacy Professionals has announced new appointments to its 2010 Board of Directors. Five new members have joined the board and three existing members have moved into leadership roles. Incoming board members hail from Microsoft, Hewlett-Packard, Siemens, Hunton & Williams LLP and the Graduate Management Admissions Council. New board president Nuala O'Connor Kelly, CIPP, CIPP/G, said, "I'm extremely pleased to welcome these distinguished privacy professionals to our board. Their vision and experience will be invaluable in leading the IAPP and the privacy profession into the next decade."
Privacy Commissioner Receives Palm-Scanning Complaint (January 22, 2010)
The Office of the Privacy Commissioner is being asked to investigate whether requiring students to provide fingerprints or palm scans to take competitive graduate school admission tests is an invasion of privacy, the Toronto Star reports
. A Toronto student has filed a complaint that the infrared scan of the blood vessels in the palm, which is required of the approximately 266,000 students who take the GMAT admissions test each year, is an invasion of privacy. Other students, however, have a different point of view, as expressed by one pharmaceutical student who says, "I think it's great to have these measures in place when you hear about people hiring someone else to write the test."
Complaint Alleges Breach of Youth Privacy (January 22, 2010)
Ottawa's Public Interest Advocacy Centre has filed a complaint with Federal Privacy Commissioner Jennifer Stoddart alleging Nexopia has committed six violations of the Personal Information Protection and Electronic Documents Act, the Globe and Mail
reports. The complaint alleges "unnecessary and non-consensual use and disclosure of personal information" against a site that has attracted attention for providing an open venue for teens to discuss controversial issues. Nexopia has stated it has 1.4 million members and is "the place to be for teens looking to express themselves to the world." Since it is marketed to young teens, lawyer John Lawford says Nexopia should meet a different level of privacy than other social networking sites.
Commissioner Seeks Input on Social Networking and Privacy (January 22, 2010)
Federal Privacy Commissioner Jennifer Stoddart is accepting public input on the ways personal information on social networking sites can lead to the tracking and targeting of consumers, the Globe and Mail
reports. Stoddart says the focus is on "issues that we feel pose a serious challenge to the privacy of consumers, now and in the near future." In preparation for Parliament's review of the Personal Information Protection and Electronic Documents Act, Stoddart is accepting written submissions through March 15. The Canadian Internet Policy and Public Interest Clinic is praising the plan, which also includes public discussion panels to be held in Toronto in April and Montreal in May.
Ring Agrees with Workers at Iron Ore Co. (January 22, 2010)
Union workers at the Iron Ore Company in Newfoundland say the company's demand that certain workers sign over full access to their medical records is an invasion of their privacy, reports the Daily Business Buzz
. A company spokesman says it needs the records to assess who is fit for which jobs in order to provide a safe working environment. But the provincial privacy commissioner, Ed Ring, says requesting all medical records is excessive, and if information is required, it should be a minimal amount, only enough to satisfy the company's purpose. "The disclosure of an entire medical record is, in my view, way and beyond what would be considered reasonable," Ring said.
UN Official Calls for Int’l Declaration on Data Protection (January 22, 2010)
A UN official has called for a new international agreement on privacy, reports The Register
. In a report to the UN Human Rights Council, special rapporteur Martin Scheinin said "a global declaration on data protection and data privacy" is necessary to stopgap what he describes as the loss of basic privacy protections in the wake of expanded counter-terrorism efforts. European Data Protection Supervisor Peter Hustinx told the IAPP Daily Dashboard
newsletter that he considers this "a very welcome call for action that should be considered very carefully." Hustinx said that global standards and global safeguards are required to limit increasing surveillance activities and to ensure a legitimate global use of new technologies. However, Martin Abrams, executive director of the Hunton & Williams Centre for Information Policy Leadership, said that until UN member states can find the balance between physical security and data protection within their own borders, it is unlikely they will be able to move forward with an international agreement.
Loukidelis Leaving Post to Become Deputy AG (January 22, 2010)
British Columbia Information and Privacy Commissioner (IPC) David Loukidelis will become the province's deputy attorney general, the Vancouver Sun
reports. Effective February 1, Loukidelis will replace Acting Deputy Attorney General Jerry McHale. According to a BC government press release, an all-party legislative committee will select the new privacy commissioner. Meanwhile, an acting privacy commissioner will be named. Loukidelis has been BC's IPC since 1999. A Kelowna.com report
says "it will be no easy task finding someone of Loukidelis's ability, experience or determination."
Microsoft Reduces Search Data Storage Limit (January 20, 2010)
Microsoft has announced that it will further reduce the length of time it holds data entered into its Bing search engine, the New York Times
reports. The decision comes in response to criticism related to search data management from within the European Union and will be implemented over the next 18 months for users everywhere, not just in the EU. Professor Hendrik Speck of the University of Applied Sciences in Kaiserslautern, Germany predicts that the move will prompt Bing competitors to follow suit, saying, "Google and other engines are starting to realize that consumers around the world are placing an increasing value on privacy and that can have business consequences." (Registration may be required to view story.)
IPC Investigates Medical Waste Disposal (January 15, 2010)
Ontario's Information and Privacy Commissioner is looking into the discovery of dozens of medical waste containers in the vicinity of a methadone clinic in Scarborough, reports the Toronto Sun. The containers are labeled with patients' names, the report states. "There are two issues here," said a Toronto Public Health official. "The fact that patients' names are on the containers is a huge privacy issue..." and what types of fluids the containers house is the other, said Dr. Howard Shapiro.
IPC Orders Widespread Encryption (January 15, 2010)
Ontario's Information and Privacy Commissioner has ordered provincial health authorities to encrypt all personal health information stored on portable devices such as memory sticks and laptops, reports the CBC. The order follows the IPC's investigation into the loss of an unencrypted USB storage device that contained the sensitive personal information of 83,000 people who attended H1N1 flu clinics in the Durham Health Region last fall. Commissioner Ann Cavoukian warned victims to be on alert for identity theft. The commissioner has also questioned the amount of information collected from those who attended the clinics, saying that minimizing the data collected helps prevent such losses.
Privacy Group Refutes TSA Claims on Scanners (January 12, 2010)
The Electronic Privacy Information Center (EPIC) has taken issue with the Transportation Safety Administration's (TSA) claims that the controversial whole body scanners being deployed to airports around the world cannot be used to store and transmit near-naked images of the human body, Computerworld reports. Using information gained following a Freedom of Information Act lawsuit Mark Rotenberg, EPIC's executive director, asserts that the scanners include hard disk storage, USB interfaces, and Ethernet connectivity and are fully capable of storing and transmitting images.
Saskatchewan Not Gambling with Gamer Privacy (January 12, 2010)
Government-owned casinos in Saskatchewan have announced a change in policy that means patrons purchasing event tickets with cash will no longer be required to provide personal information, CBC reports. Saskatchewan Information and Privacy Commissioner Gary Dickson announced the change this week after reviewing the ticket purchasing policies at Casino Regina and Casino Moose Jaw. Dickson believes businesses should only collect the information needed to transact business and told the CBC: "We started investigating and we had a number of discussions with Saskatchewan Gaming and have worked with them over the last year to redo their policy. They now have signage at the casinos in Moose Jaw and Regina indicating that if people are paying cash for a ticket, they don't have to provide personal information."
Differing Views Complicate Int’l Travel Security (January 11, 2010)
As the U.S. amends its air travel security policy in the wake of the failed Christmas Day terror attempt, it will likely find that differences in the ways other nations approach personal privacy issues will complicate security negotiations, the Washington Post reports. The article states that, while the U.S. has authority where a flight is headed there, in practice any changes to security will be influenced by the laws and social norms of the host country. Approaches to data collection and security screening depend on the relationship with the nation in question. "We have very little control in the United States over the way people apply standards overseas," said former Homeland Security secretary Michael Chertoff. "It only works with the cooperation of foreign governments." (Registration may be required to access this story.)
Ring: Privacy Rules Breached (January 8, 2010)
Newfoundland and Labrador Information and Privacy Commissioner Ed Ring has concluded an investigation into the alleged disclosure of personal information from municipal records, reports the Western Star. He found that the Access to Information and Protection of Privacy Act was likely breached when information from the Town of Steady Brook's records was disclosed, but stated in his report that he was not able to identify the individual(s) responsible for the breach, which occurred almost two years ago. Ring recommended the town of Steady Brook increase employee privacy training. "The action which gave rise to these complaints appears to have been intentional and may have been prevented had the individual(s) involved had a better appreciation of privacy under the Act."
Technology could Lessen Instrusiveness of Full-Body Scanners (January 8, 2010)
While some Canadian Privacy regulators monitor the government's moves on pimplementing more full-body imaging scanners at the nation's airports, Ontario's privacy commissioner says that technological measures to lessen the invasiveness of certain airport security scanners are available and effective, reports OUT-LAW.COM. "Improved airport security...need not come at the expense of privacy - both may be achieved together," wrote Ann Cavoulian in a report published last March. meanwhile, a University of Ottawa professor says the millimeter-wave scanner actually enhances privacy. And a Montreal Gazette editorial asserts that any loss of privacy due to the scanners is worth it. "Safety trumps modesty. Period."
Stoddard: Hold Gov’t to Its Word (January 8, 2010)
Federal Privacy Commissioner Jennifer Stoddart discusses airport imaging scanners in an editorial that is running in newspapers across the nation today. On the heels of the failed Christmas day airliner bombing, the Canadian government announced this week that it would install dozens of millimeter-wave imaging scanners in the nation's airports, and promised to take all reasonable steps to safeguard the privacy and personal dignity of travelers. "Canadians should hold it to its word," Stoddart writes. She outlines her office's work with the Canadian Air Transport Security Authority (CATSA), which as been trialing the security scanners, and discusses the four-point impacts of such devices.
Your Posts Diminish Everyone’s Privacy (January 8, 2010)
The Intimacy 2.0 era has dawned and it's not just those who post intimate details about their lives online whose privacy is diminished. A university fellow says that such sharing undermines everyone else's right to privacy, reports BBC News. "As more private lives are exported online, reasonable expectations are diminishing," says Kieron O'Hara of the University of Southampton. "When our reasonable expectations diminish, as they have, by necessity our legal protection diminishes."
USB Sticks Recalled (January 8, 2010)
At least three vendors have recalled hardware-encrypted USB memory sticks after penetration testers discovered a vulnerability that could allow hackers access to the data contained on the devices, reports CSO. According to one of the USB vendors affected by the flaw, "a skilled person with the proper tools and physical access to the drives may be able to gain unauthorized access to data..." The flaw pertains to the drives' access-control mechanisms.
20-Somethings and Privacy (January 8, 2010)
A Curtin University of Technology researcher has published a paper on how certain Facebook users understand and navigate privacy concerns. The paper, which appears on the peer-reviewed journal site First Monday, builds upon a Canadian ethnographic study about the privacy concerns of younger users. Specifically, the research explores how a 20-something community of Facebook users perceives privacy and how the users' privacy concerns differ from those of others. The paper also explores ways that users attempt to enhance their social privacy and why users remain active on the site despite their privacy concerns.