Canada Dashboard Digest

Are you sick of hearing about Heartbleed? If you are, you may want to skip some of the stories profiled in this week’s Dashboard Digest. If, however, you are like me, you might still be confused by the array of stories about the technical vulnerability, how it works and what damage it might have caused. I had to do a fair amount of self-study this week to prepare for an on-air interview with the CBC, and I must admit that the more I read about it, the more questions I had.

One thing is for sure: We work in an increasingly dynamic industry where things change faster than ever. What was once considered secure is actually not. Safeguards that you thought were good enough, aren't. I suppose that’s all the more reason the privacy professional needs tools like the Dashboard Digest—to try and stay on top of what’s going on.

With respect to the Heartbleed saga, we felt that you deserved even more opportunity to learn about it, so we have added a session to this year’s Symposium that promises to educate privacy professionals on exactly what they need to know about the vulnerability. I hope you can make it to Toronto if you're keen to learn more.

Somewhat overshadowed by Heartbleed were two rather significant decisions from Commissioners Denham and Cavoukian. Read on to learn more because these, too, are important events. 

Have a great weekend, and happy (Easter egg) hunting!

Kris Klein
Managing Director
IAPP Canada

Top Canadian Privacy News

HEALTHCARE PRIVACY

I Read in Your Blog You’ve Been Feeling Depressed… (March 31, 2010)

The Washington Post delves into the ethical and professional questions arising over the online presence of mental health practitioners and their consumption of patients' online data in the course of treatment. The proliferation of publicly available patient data on social networks, blogs and elsewhere is raising new questions about the provider-patient relationship. "We are just beginning to understand what ethical issues the Internet is raising," says Stephen Behnke, ethics director for the American Psychological Association. Some therapists consider the Internet a valuable treatment tool, saying, "You could almost make the argument that it's negligent not to search online...," while others are skeptical. "To write rules that allow our field to grow and develop and yet prevent [patient] harm at the same time: That's the challenge," Behnke says. (Registration may be required to access this story.)
Full Story

DATA LOSS—CANADA

Security Shortcomings Caused Toronto Hydro Breach (March 30, 2010)

The Information and Privacy Commissioner of Ontario has said Toronto Hydro Corporation must fix the "security shortcomings" that led to a breach of its e-billing system last year, the Toronto Star reports. The breach involved a third party's unauthorized access to account numbers for all of Toronto Hydro's 640,000 customers and the use of 179,000 of those numbers to create online billing accounts for customers without their consent, the report states. The commissioner is recommending Toronto Hydro include complex passwords, e-mail address verification and activation codes to improve e-billing security. "The fortunate thing in this case, we haven't seen any evidence it was used improperly," said Assistant Commissioner Brian Beamish.
Full Story

ONLINE PRIVACY

It Now Takes More Clicks to Escape E-Mail Lists (March 29, 2010)

A study of 100 large online retailers has shown that five times more are requiring at least three clicks to escape from e-mail marketing lists than in 2008, the New York Times reports. The Responsys survey also indicates that the number requiring just one click to be removed from an e-mail list has dropped to three percent, down six percent in that same time period. The report states that while retailers may not want to let their subscribers get away too easily, Chad White of Responsys recommends they let customers leave with two clicks or fewer as the time it takes to opt out is "being measured against that one click on their report spam button." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Browser Fingerprinting Gains Attention (March 29, 2010)

A tracking technique that creates sophisticated digital fingerprints of Web users has emerged from the banking sector and seems poised to enter the wider Web. PCWorld reports on the browser fingerprinting method, which was developed originally to help banks detect online fraud but is now being sold as a Web service. The method involves the collection of identifying data on one's browser in addition to biometric identifiers such as typing speed and patterns, the report states. It has the attention of the Electronic Frontier Foundation, which describes the legality of the method as fuzzy.
Full Story

ONLINE PRIVACY

Global Data Protection Law Needed for Cloud (March 29, 2010)

European leaders are calling for a worldwide agreement on data protection to address data security weaknesses related to cloud computing, ComputerWeekly reports. Speaking before an international audience of 300 cyber law experts at the Council of Europe, Francesco Pizetti, president of Italy's data protection authority, said when it comes to the cloud, "It is not possible to continue to guarantee the protection of citizens' data without very strong international rules accepted by all countries around the world." Meanwhile, Udo Helmbrecht, executive director of the European Network and Information Security Agency (ENISA), said the agency is seeking European regulation to require cloud providers to notify customers about security breaches.
Full Story

SOCIAL NETWORKING

Facebook Privacy Changes, “Places” Feature Raise Concerns (March 29, 2010)

Facebook's announcement of changes to its privacy policy--including amendments permitting the site to share data with "pre-approved" third-party Web sites--and plans to add a new "places" feature to allow users to add their locations to their pages--are raising privacy concerns. The Financial Times reports that the privacy policy changes would allow sites to receive Facebook user information, including "names, profile pictures, gender, user IDs, connections and any content shared using the Everyone privacy setting," and potentially retain that information "to the extent permitted" under the third-party sites' policies. Marc Rotenberg of the Electronic Privacy Information Center (EPIC) said Facebook is "pushing the envelope," and EPIC is considering bringing a new complaint before the Federal Trade Commission. (Registration may be required to access this story.)
Full Story

PRIVACY LAW

New BC Gov’t Powers Raise Privacy Concerns (March 26, 2010)

In a move that is raising concerns about privacy implications, the British Columbia government presented an 88-page submission seeking expansion of its powers to collect and share citizens' private information to a special committee reviewing the Freedom of Information and Protection of Privacy Act this week. The Tyee reports that the provincial government has not only proposed the collection of personal information without consent, but also the storage of such information outside of Canada. "It's the scope of the thing," said Vincent Gogolek of the Freedom of Information and Privacy Association. "They really are looking to change the basis of the act to remove people's control over their own information...This is stuff you don't want bouncing around all over the place."
Full Story

DATA LOSS

Employees Suspended for Breaches (March 26, 2010)

Two employees of Newfoundland's largest healthcare authority have been suspended for inappropriately accessing patient records, reports CBC News. "They were curious," said Eastern Health CEO Vickie Kaminski. "It was their neighbour. It was their daughter's new boyfriend. All kinds of curiosity reasons for accessing the information." The employees were suspended for three months without pay, but Kaminski says that as Eastern Health moves toward a zero-tolerance policy, "It is anticipated that a willful breach will lead to termination..." The breaches were discovered during a weekly audit. Another breach resulted when a laptop was stolen from an employee's car. Eastern Health has begun notifying affected patients.
Full Story

DATA PROTECTION

Commissioner Sharing “Privacy by Design” with U.S. (March 26, 2010)

Ontario Information and Privacy Commissioner Ann Cavoukian is getting a favorable response from U.S. officials to her "Privacy by Design" strategy for protecting personal information, the Washington Internet Daily reports. Cavoukian, who spoke this week at a Stanford Law School forum, said U.S. officials including Federal Trade Commission Chairman Jon Leibowitz and House Communications Subcommittee Chairman Rick Boucher (D-VA) have shown interest in creating user control into technology and business models. Maneesha Mithal of the FTC Division of Privacy and Identity Protection agreed with Cavoukian's strategy, saying, "We think it's a great idea for us to be baking privacy into these products from the beginning." (Registration may be required to access this story.)
Full Story

TRAVELLERS’ PRIVACY

E-Passports Continue to Raise Concerns (March 26, 2010)

As early as next year, Canadians who apply for passports will receive documents with chips that contain digital images and personal information such as names and dates of birth, which is raising concerns about privacy and identity theft. The Montreal Gazette reports that Passport Canada believes e-passports will increase security, but the Office of the Privacy Commissioner (OPC) continues to be very interested in this issue and is expecting an update on the plan in the weeks ahead. "We plan to look at that report carefully to determine whether or not we have any outstanding concerns or questions from a privacy perspective," said Anne-Marie Hayden of the OPC.

Full Story

IDENTITY THEFT

Study Ranks Riskiest Cities for Online ID Fraud (March 26, 2010)

When it comes to online identity fraud, Burlington, Ontario, has made the top of the list for Canada's riskiest cities, the Edmonton Sun reports. A recent study from Symantec has revealed the country's top 10 cities most vulnerable to ID theft, the report states. While the list does include large cities, the study found that residents in wealthier suburbs had more access to computers and the Internet and were at greater risk for identity fraud. After Burlington, the remaining top 10 are Port Coquitlam, Langley and Vancouver, BC; Calgary, AB; Oakville, Markham and Toronto, ON; Kelowna, BC, and Kitchener, ON.
Full Story

ONLINE PRIVACY

Google Expanding Street View in Canada (March 26, 2010)

Google has announced it is gearing up to expand its Street View mapping to every Canadian province and territory. CBC News reports that Google will spend the next few months photographing streets in cities and towns throughout Canada as the country joins the U.S., UK and France in having nationwide Street View. When Street View was first introduced in Canada, Privacy Commissioner Jennifer Stoddart raised concerns that the service could violate privacy laws, the report states, but Google has since added technology aimed at alleviating those concerns. Google also confirmed it will be heading back to Windsor to take new pictures after city officials complained that the existing photos were taken during a strike last summer and show unkempt streets and garbage piles in many locations.
Full Story

SOCIAL NETWORKING

Photo Tagging, Employee Tracking Raise Privacy Concerns (March 25, 2010)

In the wake of announcements that Swiss and German privacy authorities are examining whether the world's largest social networking site is infringing upon personal privacy by allowing its users to post content such as photos and e-mail addresses of other people, the Los Angeles Times reports that a Facebook spokeswoman said regulator reviews are a fairly standard practice. "We believe that Facebook's privacy features respect and are consistent with privacy laws, regulations and policies around the world, as well as, importantly, users' expectations and needs," she said. Meanwhile, a U.S. company has announced the creation of Social Sentry, a new program companies can use to automatically monitor their employees' public activities on social networking sites.
Full Story

PRIVACY LAW—CANADA

Law Group Examines Breach Notification Requirements (March 24, 2010)

When it comes to notification requirements for security breaches involving Canadian data, federal and provincial privacy commissioners have established guidelines for companies to follow in the event of data loss or theft. W. Scott Blackener of Information Law Group points out that while Canada does not have the legally enforceable breach notice statutes in place in the U.S., "courts are likely to defer to the expert commissions and consult the guidelines in deciding whether an organization suffering a security breach has violated PIPEDA or a provincial PIPA, or whether the organization has met contractual expectations or a duty of reasonable care under tort law." Blackener also points out that Special Commissions at the federal level and in the provinces of Alberta and British Columbia have recommended amending privacy legislation to mandate notification of material security breaches.
Full Story

PERSONAL PRIVACY

I Always Feel Like Somebody’s Watching Me (March 23, 2010)

The use of video surveillance in retail stores is growing and so is concern about loss of privacy, reports the New York Times. Stores are tracking customers' browsing habits and then studying them to identify potential changes that might improve the shopping experiencing and increase sales. But some question the ethics of these methods, especially as facial recognition software is added to the mix. "I think it is absolutely inevitable that this stuff is going to be linked to individuals," says Katherine Albrecht, founder of Consumers Against Supermarket Privacy Invasion and Numbering. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Privacy in the Video Everywhere World (March 22, 2010)

The emerging online video revolution begs a new definition of the word privacy, The Guardian reports. New sites are making online video more immediate and communal, says author Victor Keegan, giving us a "taste of the future when everyone will have instantaneous access to almost anyone else." Archiving video in the cloud would be an "amazing tool...if anyone ever has the time to go through it," but could also come at the expense of our privacy. "Indeed..." writes Keegan, "Whatever our fears about governments collecting data about ourselves, we seem to be two steps ahead of them in revealing it all ourselves voluntarily."
Full Story

ONLINE PRIVACY

Privacy Eroding? Look Within. (March 22, 2010)

The Atlantic responds to recent articles about the loss of privacy in the online environment, saying "Don't blame Facebook" for its erosion. Derek Thompson writes that our privacy is vanishing online because we want it to. "Occasionally Facebook screws up," he writes. "But mostly, we sacrifice our privacy online for the human instinct to share and feel connected. If you want somebody to blame, look in the mirror." Thompson says Cornell University Professor Jon Kleinberg offers words to live by in saying, "When you're doing stuff online, you should behave as if you're doing it in public--because increasingly it is."  
Full Story

DATA PROTECTION

Copy Machines a ‘Gold Mine’ for Data Thieves (March 22, 2010)

The Toronto Star reports on the potential privacy implications of photocopiers in the work place. Multi-purpose copy machines store a wealth of information on their hard drives and it can be easily hacked, the report states. One security expert who reconfigures used copy machines says businesses are unaware of the privacy breach risks when a copier is replaced. "In almost all the machines I have seen, the files, phone numbers, fax numbers and e-mail addresses are left there as if it was still in the office," he says, adding that he often comes across files from insurance companies and medical facilities. Another expert says if linked to an unsecured network, copier data can be found and tracked online.
Full Story

PRIVACY—CANADA

Opinion: Show Dickson the Money (March 22, 2010)

A StarPhoenix editorial calls the Saskatchewan government's denial of more funding for the privacy commissioner's office "short-sighted." Despite a 113 percent increase in demand for services in the past year and a 12 to 18 month wait time for case resolution, Commissioner Gary Dickson's request for an additional investigator has been denied for a third time. Instead, Justice Minister Don Morgan has suggested "internal shuffling" of resources to alleviate the backlog. But "It's absurd to expect that even adding one more investigator to the current complement of three can keep abreast of the workload involved in serving the privacy-related consultation and advisory needs" of so many, the report states.
Full Story

DATA LOSS

Breach Affects Former Parliament Staffers (March 19, 2010)

The House of Commons has launched an internal probe after an administrative error resulted in 697 personal income tax forms being mailed to the wrong addresses, the Ottawa Citizen reports. The forms, sent to parliament members' former staffers, contained personal information including social insurance numbers, employee earnings and other identifying information. A House spokesman said the unintended recipients have been instructed to return the sensitive information, though some reported already having destroyed it. The spokesman also said steps were being taken to prevent future breaches. Meanwhile, the House has set up a hotline and consulted credit agencies to monitor the affected employees for identity theft.
Full Story

DATA LOSS

Health Region Sends Information to Wrong Patient (March 19, 2010)

A Melville woman says the Sunrise Health Region sent her the personal health information of a deceased patient mistakenly, the Leader-Post reports. The woman, thought to be next-of-kin, received the deceased's radiology test results in the mail. A spokeswoman for the region says it is reviewing patient information as well as databases to inform the correct next-of-kin and is sending form letters to patients to limit the release of personal health information. Regina's privacy commissioner said he expects a report from the region following an internal investigation, adding that the breach may have "pointed out a part of a system that needs to be re-thought."    
Full Story

DATA LOSS

Virus Potentially Compromises Patient Files (March 19, 2010)

Alberta's privacy commissioner has launched an investigation after thousands of patient files at a northeast medical clinic were potentially compromised, the Calgary Sun reports. Two viruses infected one of the University of Calgary Sunridge Medical Clinic's computers, which contained medical legal reports and billing data, and potentially contained test results and specialist consultation forms. The clinic has notified more than 4,700 patients about the breach. "It seems the bad guys are always two steps ahead in terms of technology," said Wayne Wood, spokesman for the commissioner, adding that the investigation will take at least a month to complete.
Full Story

PRIVACY LAW—U.S.

Settlement Approved, Foundation to be Established (March 18, 2010)

A federal judge has approved Facebook Inc.'s settlement of a lawsuit related to its Beacon service, Bloomberg reports. Yesterday, U.S. District Court Judge Richard Seeborg in San Jose ruled that the settlement, which will see Facebook establish a privacy foundation, is a better use of the funds than distributing them among the 3.7 million people represented in the class action. Some had objected to the proposed settlement, questioning the fact a charity, rather than class members, would benefit, and suggesting that because Facebook would establish the foundation, it would be "paying itself." But in yesterday's ruling, Judge Seeborg said, "there is no persuasive showing that the foundation will be a mere publicity tool for Facebook."
Full Story

DATA LOSS

Hotels a Hot Target for Hackers (March 18, 2010)

Hotels are attractive targets for hackers seeking customer credit card data, the Wall Street Journal reports. According a recent SpiderLabs study, 38 percent of its 2009 data breach investigations occurred at hotels, more than in any other industry. Verizon Business manager Dave Ostertag says his company has also noticed an increase in hotel breaches. Once a hacker finds a flaw or weakness, Ostertag says, "they want to replicate it as many times as they can." Experts recommend that hotels become compliant with the Payment Card Industry Data Security Standard (PCI DSS) in order to help prevent breaches. "Complying with the PCI DSS standard is one of the most effective ways to minimize risk as it relates to data security around credit card information," Navigate LLC founder Chris Zoladz, CIPP, tells the Daily Dashboard. A former privacy executive in the hotel industry, Zoladz says that while the PCI DSS is not perfect, "at the end of the day...hotels and other companies that follow the standard will have less risk than if they didn't follow it." (Registration may be required to access this story.)   
Full Story

DATA LOSS—CANADA

Bank Mails Customers the Wrong Data (March 18, 2010)

An Ottawa man says he will leave his bank after it mailed him another customer's personal information. The statement included someone else's name, mailing address and deposit date as well as their RRSP and social insurance numbers. Scotiabank acknowledges that a small number of customers received the wrong tax receipts, the Ottawa Citizen reports. The bank notified the Office of the Privacy Commissioner (OPC). An OPC spokesperson says that although institutions aren't legally required to report data breaches, "the banking sector is one of the industries that is proactively doing so."
Full Story

SOCIAL NETWORKING—U.S.

Internet Can Be Treasure Trove for Data Miners (March 17, 2010)

Even if you decide not to share your personal information online, your friends and colleagues may be doing it for you, the New York Times reports. While social network users can adopt strict privacy controls, that is often not enough to protect their personal information "in the interconnected world of the Internet," the report states. Researchers like Ralph Gross and Alessandro Acquisti, who will be a featured presenter at the IAPP Global Privacy Summit in April, have shown just how much information can be gathered by "data mining" the Internet. The two Carnegie Mellon researchers were able to accurately predict Social Security numbers for 8.5 percent of those born in the United States between 1989 and 2003. The FTC is exploring these and other online privacy issues at its third and final roundtable today. (Registration may be required to access this story.)
Full Story

PRIVACY

Commissioner: Creativity is Essential in Facing New Privacy Challenges (March 17, 2010)

When it comes to addressing the new challenges arising from rapidly developing technologies, Canadian Privacy Commissioner Jennifer Stoddart is urging privacy professionals to be more creative and strategic than ever before. "Increasingly, those responsible for privacy within organizations need to think outside the box," said Stoddart, who was participating in a panel discussion as part of the International Association of Privacy Professionals (IAPP) 10th Anniversary Celebration in Washington, DC. "My message to privacy professionals is that they need to go beyond the strict requirements of the law," she said, urging them to ask the question, "What do we need to do to respect people's privacy and minimize the intrusion on that privacy?"
Full Story

PRIVACY LAW

What is Social Networking’s Place in the Courtroom? (March 17, 2010)

Law Times reports that evidence gathered from social networking sites has been used increasingly in areas such as criminal justice, family law and jury selection in the U.S., while many Canadian employers monitor staff members' online profiles for derogatory statements about their work. "Social networking sites can provide a wealth of information for lawyers," writes author and attorney John Browning. "From educational background and work history to intimate revelations and incriminating video, this digital treasure trove is yours for the taking when access is unlimited." When it comes to use of such material, the report states, some argue that "privacy is becoming an anachronism" while, on the other side, "there's the reality that people are willingly offering up intimate details of their lives by posting blogs and photographs."
Full Story

DATA LOSS—CANADA

Prescription Records Litter Street (March 17, 2010)

The Ontario Information and Privacy Commissioner is investigating a data breach after thousands of old prescription records ended up on an Ottawa road last week, the Ottawa Citizen reports. Several garbage bags containing the records fell out of a dump-bound truck after a pharmacist found the records in his store's basement and asked a friend to dispose of them. The records apparently belonged to pharmacies that occupied the building previously. A spokesman for the commissioner said the incident is being investigated to make sure it doesn't happen again.
Full Story

BEHAVIORAL TARGETING

Industry under “Fairly Significant Assault” (March 17, 2010)

While some in the advertising industry are warning peers to be mindful of their practices as the threat of increased regulation looms, others are experimenting with methods that would be considered privacy invasive by some, reports MediaPost News. At the Collaborative Alliance meeting this week, advertising industry thought leaders heard from Interactive Advertising Bureau (IAB) CEO Randall Rothenberg, who warned "If there's something that's going to freak out your consumers, don't do it." Following his presentation, attendees heard from the managing director of an out-of-home ad agency about a recent digital billboard campaign that involved a company's employees watching passersby and directing targeted messages to them in order to "drive engagement."
Full Story

PRIVACY—CANADA

Stoddart: Global Data Flow Complicates Privacy Regulations (March 16, 2010)

Real-time globalization and the instantaneous worldwide flow of data are changing the terrain of privacy regulation. That's according to Jennifer Stoddart, Canada's privacy commissioner, speaking at last month's Privacy and Security Conference in Victoria. Stoddart said the changes in international data flow, among others, have resulted in significant challenges for administering protective privacy regulations for Canadians' personal information. The Spanish Initiative, a draft international privacy standard recently endorsed in Madrid, is a "valuable first step towards a harmonized approach to data protection" she said, adding that Canada is working more closely with other countries to create uniform rules and standards, the London Free Press reports. However, Stoddard acknowledged that "a single, enforceable global standard for privacy won't materialize overnight--if ever."
Full Story

ONLINE PRIVACY—CANADA

Opinion: While Technology Continues to Evolve, Privacy is Still the Social Norm (March 15, 2010)

Privacy has not ceased to be the norm, Ontario Information and Privacy Commissioner Ann Cavoukian writes in an opinion piece for the Globe and Mail. Instead, she writes, privacy "is a dynamic that is a complex function based on an individual's needs and choices--choices that must be respected and strongly protected if we are to maintain freedom and liberty in our society." Pointing out that modern technology has transformed the way personal information can be disseminated, she stresses that it should still be up to individuals what they share. "The human condition requires connection: We are social animals who seek contact with each other," she writes. "We also seek privacy: moments of solitude, intimacy, quiet, reserve and control--personal control."
Full Story

DATA PROTECTION

BC Government’s Protection of Sensitive Information Deemed “Adequate” (March 12, 2010)

British Columbia Auditor General John Doyle believes the provincial government is now doing an "adequate" job of protecting sensitive data on its wireless computer networks, the Times Colonist reports. Doyle's announcement comes one year after his earlier investigation into serious flaws in government practices found that two-thirds of the wireless networks tested lacked password protection or used minimal encryption, the report states. In a statement released Thursday, Doyle concluded the situation is now "generally adequate," writing, "Overall, we found that government has made some progress in securing its wireless networking environment. However, greater effort is still needed to ensure ministries comply with the policies and procedures that safeguard wireless transmissions."
Full Story

BIOMETRICS

Canadians Asked to Weigh in on Biometric Passports (March 12, 2010)

Passport Canada has confirmed it will schedule consultations to gather public input before a plan to incorporate biometric technology into passports moves forward, the Welland Tribune reports. The consultations are expected to begin in early April. Proponents of the plan say biometric passports, which include such data as fingerprints, facial recognition or iris scans, would improve border security. Critics, meanwhile, are raising privacy concerns and question the reliability of the technology, the report states. "Nobody has suggested these things are absolutely foolproof," says Welland NDP MP Malcolm Allen, who noted he is worried personal information encrypted into the documents could fall into the hands of criminals.
Full Story

TRAVELLERS’ PRIVACY

Air Canada Confirms Secure Flight Privacy Concerns (March 12, 2010)

Amidst privacy concerns surrounding the Secure Flight program, which transfers passengers' personal information from domestic airlines to the U.S. Department of Homeland Security, Air Canada officials have confirmed using the U.S. no-fly list to screen passengers on nonstop flights passing over the U.S., the Montreal Gazette reports. "Canada's approach will continue to balance the privacy rights of travellers with the need to keep the public safe from terrorist and other threats to the air transportation system," says Public Safety Canada spokesperson David Charbonneau. Anne-Marie Hayden of the Office of the Privacy Commissioner (OPC) has said the office is looking into Secure Flight and "trying to ascertain the situation" regarding privacy protection.
Full Story

DATA PROTECTION

E-Trial Security Concerns Not Insurmountable, OIPC Says (March 12, 2010)

The move to electronic court trials may bring security concerns, but Alberta's information and privacy commissioner believes those issues can be addressed, the Edmonton Journal reports. Commissioner Frank Work sees benefits to new technology that allows for a move to reducing paper and increasing efficiencies in legal cases, the report states. When it comes to security concerns, Work said there will need to be ways to authenticate documents, but added, "I don't think those concerns are insurmountable."
Full Story

STUDENT PRIVACY

OPC Announces Youth Privacy Video Competition Winners (March 12, 2010)

The Office of the Privacy Commissioner has announced the winners of its second annual "My Privacy & Me" national video competition. Entrants between the ages of 12 and 18 produced video public service announcements exploring the importance of privacy. First, second and third-place winners were selected in four categories, and the videos will be posted on the OPC's youth Web site. "Protecting personal privacy on the Internet is a relatively new behaviour that people are still getting used to--and with the prevalence of tools that are available to bring young people online, this issue is more important than ever before," said Assistant Privacy Commissioner Elizabeth Denham. "The high caliber of videos we received this year is heartening because they demonstrate that Canadian youth really seem to 'get' it."
Full Story

HEALTHCARE PRIVACY—CANADA

Commissioner Issues Warning on Health Storage Services (March 11, 2010)

Saskatchewan's Information and Privacy Commissioner is warning physicians and citizens about health record storage services being offered by an Ontario company, the Winnipeg Free Press reports. Commissioner Gary Dickson says that although DOCUdavit Services Inc. claims to provide safe and secure storage for medical information, the company does not appear to follow provincial health privacy laws. Dickson has shared his concerns with Saskatchewan Health and the Saskatchewan Medical Association, among others.
Full Story

GEO PRIVACY

Location-Based Services Raise Privacy Concerns (March 11, 2010)

A proliferation of services that let social networkers share their locations have some concerned about the privacy ramifications. Facebook and Twitter will soon offer location-based features, and dozens of similar services already exist, the Wall Street Journal reports. "There are a lot of concerns about the government being able to subpoena this information," says Carnegie Mellon University researcher Lorrie Cranor, citing other potential and possibly unwelcome uses of such information. Cranor was involved in a recent Carnegie Mellon study of 80 location services that found the majority either don't have a privacy policy or collect and save all data for an indefinite amount of time, according to the WSJ report. (Registration may be required to access story.)
Full Story

TRAVELERS’ PRIVACY

UN Expert Says Airport Scanners Violate Human Rights (March 10, 2010)

Is the use of full-body scanners in airport security a breach of individual rights? Yes, according to Martin Scheinin, the UN special rapporteur on the protection of human rights. The Montreal Gazette reports that Scheinin believes the scanners are not only an excessive intrusion into individual privacy but also ineffective in preventing terrorist attacks. "The use of a full-body scanner which reveals graphic details of the human body, including the most private parts of it, very easily is a violation of human rights," Scheinin says. He has told the UN Human Rights Council that different technology would better protect personal privacy, the report states.
Full Story

DATA LOSS—CANADA

CIBC to Compensate Customers for Breach (March 8, 2010)

The Canadian Imperial Bank of Commerce will compensate customers whose personal information was mistakenly sent to businesses in the U.S. and Quebec, Bloomberg reports. A Toronto judge approved the deal last week, settling a class-action lawsuit filed by customers whose names, social insurance numbers, account numbers and balances, addresses and signatures were exposed in faxes the bank sent to a Maryland auto accessory manufacturer and a Quebec business. In his decision, Ontario Superior Court Judge George Strathy said that class members' claims are likely to be "fairly modest." CIBC will offer settlements to each individual affected and will pay $100,000 to the Public Interest Advocacy Centre, the report states.
Full Story

HEALTHCARE PRIVACY—CANADA

When Doctors Pass Away, What Happens to Patient Health Records? (March 8, 2010)

Saskatchewan Privacy Commissioner Gary Dickson believes more needs to be done to protect sensitive, personal health information left behind when doctors retire or pass away, the Canadian Press reports. At issue, he says, is the lack of appropriate arrangements to ensure such records are either turned over to another medical professional or secured in an appropriate archive. Currently, those records could end up anywhere from a spouse's basement to an empty office. Acknowledging that some believe electronic health records will be the best solution, Dickson points out that the move to digitization will take time, adding, "If we do a crummy job protecting the privacy of patients now with paper records, is that not going to impair trust when it comes to electronic records?"
Full Story

HEALTHCARE PRIVACY—CANADA

BC Health Authority Again Criticized for Privacy Lapse (March 8, 2010)

Privacy Commissioner Paul Fraser believes Vancouver Coastal Health Authority did not consider privacy concerns when it launched a database of personal health information that was accessible to about 4,000 users, including nonprofit agencies and other public entities, CBC News reports. Fraser's report supports the findings of BC's auditor general regarding the health authority's handling of its Primary Access Regional Information System (PARIS) database, which contains such information as patient finances, social insurance numbers and diagnoses. Fraser stressed that other health authorities need to "learn from the mistakes identified in this investigation by ensuring that privacy is not added on at the end, but baked into the entire functional design."
Full Story

BEHAVIORAL TARGETING

Self-Service Ads: Serving Some Better than Others? (March 5, 2010)

The New York Times reports on reactions to Facebook's self-service ad system, which lets advertisers target promotions to users based on information they post to their profiles. Major advertisers have begun using the program, which was previously the domain of small businesses. "When it works, it's amazingly impactful," says Chicago consultant Tim Hanlon. When it doesn't work, "it's not only creepy but off-putting," Hanlon adds. Facebook members report that some targeted ads seem presumptuous and nonsensical. "What a marketer might think is endearing, by knowing a little bit about you, actually crosses the line pretty easily," Hanlon says. A Facebook spokesperson says the platform has come a long way in the past year and will continue to improve. (Registration may be required to access this story.)
Full Story

TRAVELERS’ PRIVACY

Baird Wants OPC Involved in Secure Flight (March 5, 2010)

The U.S. Secure Flight program is set to take effect in December, and Canada's Federal Transport Minister wants the Office of the Federal Privacy Commissioner (OPC) involved, reports the Ottawa Citizen. Secure Flight will require Canadian airlines flying through U.S. airspace to provide the American government with personal information on all passengers, the report states. Passengers who raise suspicions can be prevented from boarding. Transport Minister John Baird said he will consult with the OPC. "There has to be consent for the information to be shared," Baird said yesterday. In January, Canada's major airlines said that sharing passenger data with the U.S. would force carriers to breach the Personal Information Protection and Electronic Documents Act.  
Full Story

BIOMETRICS

Government Moving Forward with Biometric Passports (March 5, 2010)

The government has announced it is moving forward with its plan to require Canadians to obtain biometric passports for travel, the Toronto Star reports. Proponents of the plan believe that passports encrypted with biological information such as iris scans, fingerprints or facial recognition data "will significantly improve security." Proposed use of DNA technology raised too many privacy concerns, the report states. Public safety critic Joe Comartin says biometric passports are "still of questionable value," referencing a parliamentary committee review that found accuracy rates of biometrics to be between 85 and 90 percent.
Full Story

DATA LOSS

CIBC to Compensate Customers (March 5, 2010)

The Canadian Imperial Bank of Commerce will compensate customers whose personal information was mistakenly sent to businesses in the U.S. and Quebec, reports the Ottawa Citizen. A Toronto judge approved the deal this week, settling a class-action lawsuit filed by customers whose names, social insurance numbers, account numbers and balances, addresses and signatures were exposed in faxes the bank sent to Allstar Sports Line Ltd between 2001 and 2004, according to the report.
Full Story

PRIVACY LAW

Opinion: Advice for the Next 100 Days (March 5, 2010)

Parliament resumed this week and with 100 days until the summer break, Industry Minister Tony Clement should set a series of realizable targets for the nation's digital strategy. That's according to University of Ottawa Professor Michael Geist, writing for the Ottawa Citizen. Geist says Clement should reintroduce the Electronic Commerce Protection Act, and a privacy reform bill, "which Clement identified as a priority at the start of 2010," should also be introduced within the next 100 days. He says the government should also use the next few months to "step up its digital enforcement agenda."  
Full Story

SOCIAL NETWORKING

Social Networking Sites Offer Privacy Controls, But Are They Used? (March 5, 2010)

The Brock Press reports on the Facebook phenomenon and some of the privacy risks users assume when using social networking sites. It has been an area of interest for the Canadian privacy commissioner, whose 2009 report on Facebook's privacy practices prompted the company to change certain privacy policies. However, additional policy changes in December resulted in more "open" user accounts, the report states. This, says University of British Columbia computer science professor Richard Rosenberg, maximizes the advertising potential for the company, but places the onus on users to take a proactive interest in managing their privacy settings. "There is a lot of concern about whether or not people are aware of this," Rosenberg says, and if they do know, about whether they care.
Full Story

GEO PRIVACY

Some Sites Share Users’ Location Data (March 3, 2010)

Some users of social media are now more tentative about posting personal location details after learning about some of the privacy implications. One user tells of his surprise after he logged on to social networking site Foursquare, which flagged his physical location online. That information made its way onto pleaserobme.com, a site that aggregates social media data to create a clearinghouse of who's home and who's not. The Globe and Mail reports on the dangers users face in posting their whereabouts to social networking sites. One expert suggests "the normalization of online over-sharing means most don't give a second thought to what they post since 'everyone else is doing it.'"  
Full Story

ONLINE PRIVACY

Internet of Things More Reality than Fiction (March 2, 2010)

A new McKinsey consultancy report suggests that the "Internet of things" is closer than ever to becoming a reality, The Guardian reports. The system would see everyday objects like shoes and food become capable of communicating data about their position, status and location through GPS and RFID systems, the report states. "Pill-shaped micro-cameras already traverse the human digestive tract and send back thousands of images to pinpoint sources of illness," the authors write, describing the potential benefits of the Internet of things. But they acknowledge the downsides, as well, saying that companies working on such technological advances must consider privacy, security and data protection concerns.
Full Story

PERSONAL PRIVACY—CANADA

Police: Vehicle Signs Do Not Breach Privacy Laws (March 1, 2010)

Niagara Regional Police believe vehicle-mounted signs announcing drug searches are substantially different from those placed in front of homes by another department and found in breach of privacy laws last year, The Standard reports. The Office of the Information and Privacy Commissioner of Ontario determined in October that signs posted by Cornwall police in front of properties violated privacy laws by divulging addresses where police had executed search warrants. Niagara police, meanwhile, recently began posting signs on a van used during marijuana investigations. "It's not meant in any way to comment on the residents of the home," said Deputy Chief Joe Matthews, "just to provide the public with an understanding of what the police activity is."
Full Story

ONLINE PRIVACY

Dealing with the Data Deluge (March 1, 2010)

It is expected that in 2010, mankind will create 150 exabytes (billion gigabytes) of data. The Economist reports on the "data deluge" which "has great potential for good," as long as mankind makes the right choices about when to restrict versus encourage its flow. The article highlights which industries are best at gathering and making use of data ("plucking the diamond from the waste"), and discusses the risks: missing disks, lost laptops, unexpected changes to social networking sites' privacy policies, for example. "The best way to deal with these drawbacks of the data deluge is," the report states, "paradoxically, to make more data available in the right way..."
Full Story