Canada Dashboard Digest

Are you sick of hearing about Heartbleed? If you are, you may want to skip some of the stories profiled in this week’s Dashboard Digest. If, however, you are like me, you might still be confused by the array of stories about the technical vulnerability, how it works and what damage it might have caused. I had to do a fair amount of self-study this week to prepare for an on-air interview with the CBC, and I must admit that the more I read about it, the more questions I had.

One thing is for sure: We work in an increasingly dynamic industry where things change faster than ever. What was once considered secure is actually not. Safeguards that you thought were good enough, aren't. I suppose that’s all the more reason the privacy professional needs tools like the Dashboard Digest—to try and stay on top of what’s going on.

With respect to the Heartbleed saga, we felt that you deserved even more opportunity to learn about it, so we have added a session to this year’s Symposium that promises to educate privacy professionals on exactly what they need to know about the vulnerability. I hope you can make it to Toronto if you're keen to learn more.

Somewhat overshadowed by Heartbleed were two rather significant decisions from Commissioners Denham and Cavoukian. Read on to learn more because these, too, are important events. 

Have a great weekend, and happy (Easter egg) hunting!

Kris Klein
Managing Director
IAPP Canada

Top Canadian Privacy News

SOCIAL NETWORKING

Getting Divorced? Watch What You Post Online (June 29, 2010)

All those details social network users share online can add up to an abundance of evidence in divorce cases, the Associated Press reports. According to the American Academy of Matrimonial Lawyers, 81 percent of its members have used or faced evidence found on Facebook, MySpace, Twitter and other social networking sites in the past five years alone. "You're finding information that you just never get in the normal discovery process--ever," said one divorce attorney. "People are just blabbing things all over Facebook. People don't yet quite connect what they're saying in their divorce cases is completely different from what they're saying on Facebook. It doesn't even occur to them that they'd be found out."
Full Story

ONLINE PRIVACY

It’s Virtually Impossible To Hide (June 29, 2010)

In light of Web databases and services for "finding" people, privacy advocates are issuing warnings that a lack of online regulation allows companies to have too much control over personal information. That's according to a San Francisco Chronicle report on the dangers to both reputation and physical safety that can be posed by various online services that gather data and share information ranging from addresses to home values to "dateability." Pam Dixon of the World Privacy Forum said individuals have little control over their online information, while Paul Stephens of the Privacy Rights Clearinghouse points out that "a nosy neighbor" or marketer who is not likely to access files housed in archives can easily view digital records available at the click of a mouse.
Full Story

DATA LOSS—CANADA

Newsroom Again Receives Patient Information (June 28, 2010)

The CBC is reporting receiving healthcare information accidentally from Northwest Territories (NWT) health authorities one month after a similar breach raised concerns about patient confidentiality. "Two separate sets of patient files were mistakenly faxed to the CBC's Yellowknife newsroom on June 18," the report states, including a patient prescription record from the Yellowknife Health and Social Services Authority and documentation of a meeting with a wellness counselor from the Fort Smith Health and Social Services Authority. In each case, human error has been cited as the reason for the breaches. When similar fax errors occurred last month, NWT Privacy Commissioner Elaine Keenan Bengts described such breaches as an "eye-opener" for healthcare facilities across the region, the report states.
Full Story

SOCIAL NETWORKING

Privacy vs. Oversharing in a TMI World (June 28, 2010)

Many "social networking companies with business models hungry for personal data" are encouraging users to "overshare" without comprehending the consequences, the Mercury News reports. With the dangers of sharing too much information ranging from embarrassment to loss of employment to abuse by stalkers or scammers, consumer advocates and legislators are turning their attention to requiring companies to protect their users, the report states. At issue, according to some scholars, is the gap between what people say and what they do. "People report in studies that they care deeply about privacy," said Ryan Calo of Stanford Law School's Center for Internet and Society, "but then people don't seem to act in a way that protects their privacy."
Full Story

PRIVACY LAW

OPC Gathers Input for PIPEDA Review (June 25, 2010)

When it comes to privacy law and cloud computing, the biggest threat is that Canada "only has limited authority over most of the companies providing these services." That was the message from Brad Templeton of the Electronic Frontier Foundation during a panel discussion in Calgary hosted by the Office of the Privacy Commissioner to gather input for an upcoming review of the Personal Information Protection and Electronic Documents Act (PIPEDA). ITWorld reports that the OPC is considering whether PIPEDA is the right framework and model in light of new technologies. Speaking at the Calgary event, Assistant Privacy Commissioner Elizabeth Denham said the OPC's goal is to gather information on complex issues that will have an impact on privacy regulation now and in years to come, the report states.
Full Story

DATA LOSS

Teen Charged With Illegally Accessing U.S. Data (June 25, 2010)

A 17-year-old Ontario boy has been charged with hacking into a U.S.-based computer server and accessing sensitive information, The Globe and Mail reports. The arrest came after police investigated a complaint from a Colorado, U.S., sheriff's department alleging unauthorized access and damage to a private server that contained sensitive data, including tax records, the report states. The teen is facing charges related to the fraudulent use of a computer and password and interfering with the lawful use of data.
Full Story

ONLINE PRIVACY

Protecting Data A Top Priority (June 25, 2010)

A recent survey indicates that protecting sensitive information is a high priority for Canada's businesses, the Financial Post reports. Symantec's 2010 SMB Information Protection Report surveyed 2,152 executives from 28 countries--including 192 in Canada--and found that only seven percent of Canadian firms had lost confidential data in the past, compared to a global average of 42 percent. The study found that in Canada, top issues that came as a result of such attacks included theft of corporate data and loss of personal information.
Full Story

SOCIAL NETWORKING

Expert: Privacy Advocates’ Expectations Unrealistic (June 25, 2010)

Facebook has released its response to an open letter from privacy advocates asking the company to address "outstanding privacy problems," saying it has already created measures to protect user privacy. Meanwhile, a privacy law expert has said the advocates' expectations are unrealistic. PCWorld reports on Facebook's response that the information third-parties receive from the site is the same that can be viewed by accessing users' public information. "We do not use (the information) for ad targeting nor do we sell it to third parties," the response states. "That information cannot be sold or shared with others or used in any way other than to improve the experience of Facebook users visiting their site."
Full Story

EMPLOYEE PRIVACY—CANADA

Adjudicator: Company Must Offer Privacy Education (June 24, 2010)

An Edmonton-based business has been ordered to educate its employees about privacy laws after two managers sent out a memo about the departure of a "difficult" staffer, the Edmonton Journal reports. Keri Ridley, information and privacy adjudicator, has ruled that managers at Insight Psychological violated the former employee's privacy rights by releasing personal information without her consent, the report states. While the company said it released the information to dispel rumors, Ridley wrote in an 18-page decision released Wednesday that the company's opinions "were not innocuous information, nor was it distributed to those who needed to know it." An Information and Privacy Commission spokesman said organizations need to be cognizant of Alberta's privacy laws "when they develop their own privacy policies."
Full Story

SOCIAL NETWORKING

Facebook Creating Location-Based Service (June 24, 2010)

The world's largest social networking site is "pretty close" to providing location-based services, CEO Mark Zuckerberg said Wednesday at an event in Cannes, France. The service would allow marketers to deliver personalized ads to Facebook users based on their locations, Bloomberg reports. Attendees at last week's Computers, Freedom and Privacy conference, meanwhile, have released a 14-point Social Networking Users' Bill of Rights focused on privacy enhancements and user control. For his part, Zuckerberg spoke of recent privacy complaints against the site at the Cannes event, noting, "With almost a half-billion users, we're making a transition. Our challenge is to make a safe, secure environment for users to share."
Full Story

CHILDREN’S PRIVACY

Survey: Teens Engage in Risky Behaviors Online (June 23, 2010)

USA Today reports on survey results that indicate teenagers often participate in risky behaviors online. Released this week, The Harris Interactive survey, commissioned by McAfee and titled "The Secret Online Lives of Teens," polled 955 teens ages 13-17. Of those polled, 69 percent said they divulged their physical location while online and 28 percent said they chatted with strangers. Girls often were more willing to divulge information than boys, with 32 percent saying that they chat with strangers online compared with 24 percent of male respondents. "This is a wake-up call to the real dangers our teens face when they make themselves vulnerable online," said McAfee's chief cyber security mom.
Full Story

GEO PRIVACY

Apple Updates Location-Based Services Policy (June 22, 2010)

Apple has updated its privacy policy to make sure users know that when they use location-based services, they will be sharing their location information with that service provider. CNET News reports that the update, which was released on Monday, specifies that in order to provide location-based services, "Apple and our partners and licensees may collect, use and share precise location data, including the real-time geographic location of your Apple computer or device." The policy points out that the information is collected anonymously "to provide and improve location-based products and services." The announcement comes on the heels of comments by Apple CEO Steve Jobs at this month's All Things Digital conference, where he said customers should always be asked whether they want to share their information.
Full Story

DATA LOSS—CANADA

Tax Employees Viewed Documents (June 22, 2010)

The Toronto Star reports that dozens of employees at Canada's tax agency have accessed taxpayers' personal information inappropriately. In one breach last October, an employee accessed 37,500 e-mails and 776 documents and downloaded them for her personal use with the aid of agency technicians, the report states. Other incidents involved employees accessing the tax documents of ex-spouses, family members and friends. In 2008-2009, there were 29 cases in which employees accessed documents without authorization and 12 cases in which records were disclosed to third parties. "The agency consistently continues to review its activities to enhance prevention, detection and deterrence," said a spokesman.
Full Story

ONLINE PRIVACY

Certifier: Business Model Switch Levels Playing Field (June 22, 2010)
online privacy, daily dashboard

PRIVACY—CANADA

Commissioner Establishes Toronto Office (June 21, 2010)

Canada's Office of the Privacy Commissioner (OPC) has established a Toronto office in an effort to develop a more effective presence there, according to a press release. Privacy Commissioner Jennifer Stoddart said increasing her office's regional presence was needed "in order to build stronger ties with our provincial colleagues and other stakeholders across the country." In the last two years, more than half of respondents to PIPEDA complaints have had addresses in the greater Toronto area, the commissioner said, adding that an office will help to fill a gap there. Robin Gould-Soil, CIPP/C, former chief privacy officer at TD Bank Financial Group, will direct the Toronto office.
Full Story

PRIVACY LAW

Crown Disputes Commissioner’s Jury Selection Report (June 18, 2010)

The Ontario government is disputing the findings of a report issued last fall by Ontario Privacy Commissioner Ann Cavoukian that determined approximately one-third of Crown offices in the province violated the Juries Act by using confidential police databases to vet prospective jurors, the National Post reports. The Crown has said the report was the result of "an inaccurate and incomplete understanding" of the jury selection process. The Office of the Information and Privacy Commissioner "strongly disagrees" with that interpretation, said its senior counsel, David Goodis, explaining, "Our findings were based on the source from which the Crown collected the information, such as police, not the format in which that information was held."
Full Story

PRIVACY

Clayton To Be Assistant Commissioner (June 18, 2010)

Alberta Information and Privacy Commissioner Frank Work has appointed current director of PIPA, Jill Clayton, to be assistant commissioner. According to an OIPC release, Clayton will now be responsible for the development, implementation and oversight of recent changes to the Personal Information Protection Act (PIPA)--in particular mandatory breach notification requirements--in addition to her regular duties. "As the first jurisdiction in Canada to embark on this kind of mandatory notification, we will be setting precedent, and Jill will play a significant role in establishing a breach notification model for Alberta and liaising with other jurisdictions when mandatory reporting is introduced in those jurisdictions," said Commissioner Work.
Full Story

CONSUMER PRIVACY—CANADA

Guiding Document Aims to Protect Smart Grid Data (June 17, 2010)

Privacy Commissioner Ann Cavoukian has launched a publication aimed at guiding utilities on how to protect consumers' personal information in the smart grid, IT World reports. The commissioner partnered with Hydro One and Toronto Hydro to publish "Privacy by Design: Achieving the Gold Standard in Data Protection for the Smart Grid," which outlines best practices. The smart grid will digitize consumer energy information, in some cases down to the appliance level. "The smart grid's impact is being compared to the advent of the Internet, which was built without privacy in mind and which now faces an extreme impediment and very high levels of scrutiny regarding privacy," the publication states. Cavoukian said the time to embed privacy into the design of the smart grid is "during its infancy." (Watch IT World's interview with Commissioner Cavoukian here.)
Full Story

EMPLOYEE PRIVACY

Staff Surveillance: Part of the IT Job (June 17, 2010)

As more corporate infractions such as leaking intellectual property, sharing trade secrets and violating regulatory requirements are occurring via the Internet, Computerworld reports that organizations are increasingly monitoring what their employees are doing online--at home as well as during work hours. Often, the report states, it is the IT department that is tasked with filtering Web sites, scanning e-mails, watching what employees post on social networks, collecting mobile phone calls and messages and, in some cases, even tracking employees' physical locations using GPS features on smartphones. Some estimates indicate such monitoring uses up more than 20 percent of an average IT manager's workday.
Full Story

PRIVACY LAW—CANADA

Toronto Woman Launches Campaign for Ontario Privacy Law (June 17, 2010)

The Toronto woman suing her former phone company for allegedly invading her privacy has launched a campaign to find other frustrated customers to join her lawsuit, the Toronto Star reports. Gabriela Nagy says the company consolidated her household's invoices for services--including Nagy's mobile phone bill--without her consent, allowing her husband to discover her extramarital affair. Nagy, whose suit claims invasion of privacy and breach of contract, said federal privacy laws have no teeth and that Ontario doesn't have its own privacy laws like other Canadian provinces, adding "If we have no privacy, we are nothing." She's created a Facebook group called "Citizens Helping Individuals Reform Privacy Policies."
Full Story

SOCIAL NETWORKING

Advocates: Facebook Needs More Privacy Changes (June 17, 2010)

In an open letter to Facebook CEO Mark Zuckerberg, a group of privacy advocates acknowledges the social network has made some positive changes but calls on the company to do more to address "outstanding privacy problems." V3.co.uk reports that the group, which includes the American Civil Liberties Union, Electronic Frontier Foundation, Electronic Privacy Information Center, PrivacyActivism, Privacy Lives and the Privacy Rights Clearinghouse, has made six recommendations to Facebook,
including giving users the choice of opting in to the site's "instant personalization" feature rather than opting out. The letter urges Facebook to give users "control over how and with whom they share" their information--including their names,
gender, profile pictures and networks.
Full Story

GEO PRIVACY

Make Maximum Privacy Default (June 16, 2010)

The International Business Times reports that as location-based services become more common, so do privacy and security concerns. Stored locational data could be misused or used in civil lawsuits such as divorce cases, said Peter Eckersley of the Electronic Frontier Foundation. He added that unless the company providing the service specifically states how long the data is kept, chances are it is forever. "Privacy is hard to figure out. It's hard to anticipate in advance the kind of privacy you're going to need," he said, adding that the solution is to design applications to provide maximum privacy as the default. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Whitepaper: Five Risks CIOs Must Consider (June 15, 2010)

Companies should embrace social media while encouraging employees to make themselves aware of the risks involved. That's according to the Information Systems Audit and Control Association (ISACA), which this week released a whitepaper on social networking risks CIOs should be aware of, CIO reports. "Companies should embrace it, not block it," said ISACA Vice President Robert Stroud. "But they also need to empower their employees with knowledge to implement sound social media governance." The whitepaper cites viruses and malware, brand hijacking, lack of control over content, unrealistic consumer expectations of "Internet-speed" service and noncompliance with records management regulations as the top five risks.
Full Story

ONLINE PRIVACY

Cloud Computing Study Portends Ubiquity, Big Breaches (June 14, 2010)

A Pew Internet survey has revealed most experts agree that cloud computing will be ubiquitous by the year 2020, Ars Technica reports. But some also caution that a massive data breach will cause a rethink on that move. "Expect a major news event involving a cloud catastrophe (security breach or lost data) to drive a reversion of these critical resources back to dedicated computing," said the Mozilla Foundation's Nathaniel James in the Pew report, which reflects widespread unease about the cloud. "Trust not the cloud for reliability, security, privacy," said University of Toronto Professor Barry Wellman.
Full Story

PRIVACY LAW—CANADA

Expert: Information Protection Rules “Toothless” (June 14, 2010)

The Daily News reports that current federal and provincial laws are not doing enough to protect personal data stored
electronically, using as an example the recent thefts of laptops from financial institutions in Nanaimo. The report points
out that under both the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial law,
there is no obligation for financial companies to disclose what client information was stored on the stolen computers.
Technology and e-business attorney David Canton warns that changes proposed to amend PIPEDA "are rather toothless...There
certainly remains a lack of power for the police to force any company to inform their clients that their personal information
may have been breached."
Full Story

ONLINE PRIVACY

Questions Surround WiFi Collection (June 11, 2010)

The most recent investigations into Google's collection of WiFi data were announced this week in Australia, New Zealand, Hong Kong and the U.S. as privacy officials and advocates in Canada continue to raise questions. The Montreal Gazette reports that the interception of 600 GB of personal data--potentially including such information as credit card numbers and personal e-mails--could amount to a privacy incident "of epic proportions." Google has said the collection was accidental. In a statement released when her office announced last week that it would investigate the incident, Privacy Commissioner Jennifer Stoddart said, "We have a number of questions about how this collection could have happened and about the impact on people's privacy."
Full Story

DATA PROTECTION

Increased Data Protection Needed in Mortgage Brokering (June 11, 2010)

Though mortgage brokers have made strides in protecting personal data, an Office of the Privacy Commissioner (OPC) audit has revealed that more should be done, reports The Globe and Mail. The OPC conducted the audit after 14 data breaches involving impersonated mortgage brokers downloading credit reports for false applicants. Since then, brokerages have improved data protection, but "we have ongoing concerns about the controls and safeguards in the way in which credit reports are obtained," said Assistant Privacy Commissioner Elizabeth Denham. The OPC details the audit findings in its annual report to parliament, tabled Tuesday.
Full Story

PRIVACY LAW

Councillors’ Request May Violate Privacy (June 11, 2010)

Efforts by three Toronto councillors to gain greater access to the city's Integrated Business Management System could breach privacy law, the Toronto Star reports. The system includes private information about residents and businesses, the report states, and privacy advocates argue such access would infringe on people's rights to confidentiality and would also appear to breach existing privacy law. A hearing on the councillors' request is scheduled for Oct. 14. Staff from the Office of the Information and Privacy Commissioner (OIPC) will be in attendance at the hearing, the report states, seeking to have the case transferred to that office for a ruling.
Full Story

DATA LOSS

Inappropriate Access Review Continues (June 11, 2010)

Four cases of "inappropriate system access" at Saskatchewan Government Insurance (SGI) have been confirmed so far this year, with another case still under review, the Leader-Post reports. SGI's database includes customer contact information, driver and vehicle information, driving history and health information, and the most recent case involved the leak of addresses by a Ministry of Justice employee to the Teamsters union, the report states. Saskatchewan Privacy Commissioner Gary Dickson, who could not comment on the breach as it will be reviewed by his office, said previously that he favors a more formal system requiring government agencies to disclose when privacy breaches have occurred.
Full Story

PRIVACY

Opinion: Politicians Would Be Smart to Take up Privacy (June 11, 2010)

The Regina Leader-Post columnist Murray Mandryk says politicians would be wise to champion privacy and that doing so may even work to their benefit. He says their constituents are more concerned about privacy than ever given today's online environment with its electronic health data and increasing instances of identity theft, among other concerns. "Championing the privacy file should be a no-brainer," wrote Mandryk in his column Wednesday. It's an idea that Saskatchewan Information and Privacy Commissioner Gary Dickson agrees with. Dickson says privacy is usually a safe topic for politicians to champion given that the public is most often in conflict with third-party providers like schools, hospitals and police over privacy, the report states.
Full Story

ONLINE PRIVACY

Cyber Safety vs. Internet Freedom (June 10, 2010)

Concerns about the potential for nations to use the Internet to secretly declare "cyberwar" on each other are bringing to light the challenge of balancing online privacy with public safety. NPR reports that while security experts focus on the "attribution problem" of identifying and tracking down the source of cyberattacks, privacy advocates fear the loss of anonymity for Internet users. Security experts suggest that deterrence in the form of knowing where an attack comes from is needed to prevent countries from secretly using the Internet to disable their rivals' power grids, telecommunications, transportation and banking systems. Privacy advocates, meanwhile, question whether the security benefits will justify the cost to privacy, especially in countries where dissidents depend on anonymity to raise awareness of human rights issues.
Full Story

PRIVACY LAW—CANADA

Commissioner Releases 2009 PIPEDA Report (June 9, 2010)

For the Office of the Privacy Commissioner (OPC), "2009 was a watershed year," Commissioner Jennifer Stoddart writes in her report to parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA). "The dominant theme of our work in 2009 was the protection of privacy in an increasingly online, borderless world," she notes. The report, which was submitted to parliament Tuesday, highlights such key issues as the "exponential growth" in technology-based investigations. Stoddart notes that while the OPC has been able to apply PIPEDA to tools and business models that did not exist when it came into force, it is essential to review privacy laws and administrative structures to ensure they keep pace with technology. "It is increasingly clear that if data protection authorities want to remain relevant," she writes, "the online world is where they need to be."
Full Story

PRIVACY—CANADA

Saskatchewan Gov’t Considering Breach Disclosures (June 9, 2010)

The Saskatchewan government is considering the mandatory disclosure of privacy breaches, reports The StarPhoenix. The announcement follows recent high-profile incidents involving data breaches at government entities. Justice Minister Don Morgan said disclosure is optimal for "any kind of significant breach," adding, "I think it would be beneficial for the government to try and develop a practice as to what kind of information would be released when there is a breach." Saskatchewan Privacy Commissioner Gary Dickson has also supported the idea. Without a disclosure system for privacy breaches, he said, "there's really a lack of data showing how often it happens."
Full Story

BEHAVIORAL TARGETING

Firefox Has New Plans for Third-Party Cookies (June 8, 2010)

Mozilla, creator of Web browser Firefox, is updating its browser code to "dramatically change the handling of third-party cookies," writes Jules Polonetsky, CIPP, of the U.S.-based Future of Privacy Forum. Comments from Dan Wittes of Mozilla on the company's message board explained that third-party cookies will now only be persistent for a given session, while those who opt out of the default to accept cookies would completely disable them. "So if a user keeps their computer on and browser open, tracking across sites will continue," Polonetsky writes, "but if a user closes their browser, tracking cookies will be deleted."
Full Story

PRIVACY—CANADA

$500K for Privacy Research, Awareness (June 7, 2010)

Privacy Commissioner Jennifer Stoddart has announced the 2010-11 Contributions Program recipients. Thirteen organizations across Canada will receive a combined $500,000 for research and projects to advance privacy awareness and rights. The projects focus on four key priority areas: targeted online advertising, data sharing through national border security programs, video surveillance and online health records. Among this year's recipients are the University of Victoria, which will receive $46,250 to explore tools and licensing programs for online health records, and the University of Toronto, which plans to create a privacy-protective "mobile wallet." Other recipients include Ryerson University, Option Consommateurs and the Public Interest Advocacy Centre.
Full Story

DATA PROTECTION

Hengesbaugh Discusses Challenges, Solutions (June 7, 2010)

BankInfoSecurity spoke with attorney Brian Hengesbaugh, CIPP, about the top privacy and security issues for organizations today. Hengesbaugh is a partner in the Chicago offices of the global law firm Baker & McKenzie, where he sits on the firm's global privacy steering committee. He says U.S. breach notification rules and a proliferation of new privacy laws worldwide are posing some of the day's top challenges. Hengesbaugh says that "A lot of U.S. companies haven't yet realized how strict these privacy laws are," and discusses what businesses should do to comply.

Editor's note: Read Brian Hengesbaugh's Privacy Advisor article about the U.S.-EU Safe Harbor privacy framework here
Full Story

SOCIAL NETWORKING

Facebook: It’s Vital to “Disrupt Things” (June 4, 2010)

In an Ottawa Citizen report, Facebook CEO Mark Zuckerberg defends changes to the service that have provoked privacy concerns, saying that it is in the best interest of the company and the industry to "disrupt things." Zuckerberg has also suggested that his company is doing a "reasonable job" of giving its users the ability to control their privacy on the social networking site. Based on a recent interview with Zuckerberg, indications are that Facebook will continue to require users to opt out of sharing personal information. "It's never been by default just your friends...It's always been the community around you," Zuckerberg said, adding, "The big feedback we got that really resonated with me is that over time the privacy settings have just become too complex."
Full Story

INFORMATION ACCESS

PM Nominates Legault as Information Commissioner (June 4, 2010)

Prime Minister Stephen Harper has announced the nomination of Suzanne Legault as Canada's new information commissioner, 680News Radio reports. Legault has been interim information commissioner of Canada for the past year and, prior to that, served as assistant information commissioner since 2007. Harper said in his announcement on Thursday that Legault "brings considerable expertise in access to information and privacy protection issues to the position as well as an in-depth understanding of law and the functioning of government. I am pleased that she has agreed to be nominated for this important role." Also on Thursday, Legault released her office's annual report, raising concerns about the CBC and other agencies over "stonewalling" access to information requests.
Full Story

PRIVACY LAW

Professors: PIPEDA Not Tough Enough (June 4, 2010)

In a paper presented at the 2010 Congress for the Humanities and Social Sciences, two professors suggest that the Personal Information Protection and Electronic Documents Act (PIPEDA) is not specific--or stringent--enough to protect Canadians online, the Montreal Gazette reports. Researchers Wendy Kraglund-Gauthier and David Young of St. Francis Xavier University also contend that it is difficult to enforce Canadian privacy laws in instances where data is stored on servers located in other countries. Given the constant struggle to keep policies in step with technology, the pair cautions that while privacy may be expected, it cannot be assumed.
Full Story

PRIVACY LAW

Opinion: Bill “Has Bark But No Bite” (June 4, 2010)

Canadian scholar Michael Geist says a bill tabled last week could do more harm than good. The University of Ottawa law professor writes in the Toronto Star that the Safeguarding Canadians' Personal Information Act, C-29, "is a disappointment that falls short of striking the right balance between protecting Canadians, encouraging appropriate safeguards of personal information and guarding against overwhelming Canadians with too many choices." The bill would establish a security breach disclosure requirement, but Geist says the high threshold it sets for disclosure and the lack of penalties for non-disclosures takes the bite out of the "long overdue" legislation.  
Full Story

PRIVACY LAW

Utility Not Made to Reveal Customer Records to Police (June 4, 2010)

BC Hydro will not be required to turn over more than a thousand homeowners' energy consumption records to the Royal Canadian Mounted Police (RCMP), Global Toronto reports.  The RCMP withdrew its request for the records last week after BC Hydro fought a judge's order to hand them over. Though RCMP didn't specify its reason for requesting the records, it is believed they were intended to help identify marijuana grow operations, which typically require large amounts of electricity. A court affidavit expressed BC Hydro's concern that the order could force the company to hand over records of law-abiding citizens and subject them to police investigation, the report states.  
Full Story

SOCIAL NETWORKING

For Privacy, Devil is in the Default (June 4, 2010)

In the two years since CIPPIC filed its complaint against Facebook that spurred an investigation by the Office of the Privacy Commissioner, the social networking site "has done nothing to improve privacy in its default settings," Ian Kerr of the University of Ottawa's Centre for Law, Technology and Society writes in a report featured in the Edmonton Journal. Assessing Facebook's most recent privacy settings, Kerr contends that the focus is on user interface only, with the defaults still set in favor of exposing users' information, stressing that to fix the privacy problem the opposite should be the case. "The devil is in the defaults," he writes, urging Canada's government to enact legal provisions focused on what he calls "privacy by default."
Full Story

DATA PROTECTION

Opinion: Smart Grid Must be Protected like “Fort Knox” (June 4, 2010)

A Windsor Star editorial says the government should be setting the ground rules for privacy issues related to smart meters now. The editors cite Ontario Privacy Commissioner Ann Cavoukian's warning to build privacy into the design of the smart grid and its accompanying smart appliances. Cavoukian has concerns about the grid potentially serving as a "treasure trove" for hackers, thieves or marketers as Ontario moves closer to implementation. "What will develop over time is a library of personal information relating to a profile of your personal energy use. When you watch TV, what time of day, when you eat, when you sleep and wake," Cavoukian said. "This thing has to be protected like Fort Knox."
Full Story

ONLINE PRIVACY

Google To Begin Data Handover, Lawsuit Amended (June 4, 2010)

Google's CEO told the Financial Times the company will begin handing over data intercepted from private WiFi connections to European regulators within the next day or so. Eric Schmidt said the company will release the data to German, French and Spanish data protection authorities first. Google will also publish the results of an external audit into the data collection, in which company vehicles lifted snippets of personal information from unsecured wireless networks while traversing cities and towns to collect photographs for its Street View mapping feature. Google has asserted the collection was inadvertent, but lawyers representing an Oregon plaintiff modified a lawsuit against the company on Wednesday, claiming that a patent application filed in 2008 indicates it was deliberate. (Registration may be required to access this story.)  
Full Story

RFID—CANADA

Experts: “Contactless” Credit Cards Pose Security Risks (June 3, 2010)

Most new credit cards in Canada are equipped with embedded radio frequency identification (RFID) chips, which experts caution poses major fraud and privacy concerns, CBC News reports. "Contactless" credit cards need only be waved near a payment terminal in a store for the RFID chip to supply the number and expiration date, the report states, which means that anyone who purchases an RFID reader online could potentially begin accessing accounts without the cardholders' knowledge. In addition to fraud risks for these unencrypted credit cards, experts also warn of other privacy violations, such as employers using card-access doorways to scan employees' RFID credit cards for information on their finances and lifestyles.
Full Story

HEALTHCARE PRIVACY—CANADA

Telus Employees Piloting e-Health Platform (June 2, 2010)

Telus will soon launch a consumer electronic health service that chief executive Darren Entwistle says will "revolutionize" healthcare, The Vancouver Sun reports. "Canadians will have the ability to create, store and manage their personal health information across their computers and smartphones and, in the future, TVs," Entwistle said at an e-health conference in Vancouver this week. Currently, 750 Telus employees are piloting the platform, which will enable the secure transmission of health information between providers and patients and will improve the privacy and accuracy of electronic health records, Entwistle says. He expects the service will be available to consumers by year's end.
Full Story

SOCIAL NETWORKING

Yahoo Plans E-mail Networking Service (June 2, 2010)

Yahoo will soon be entering the social networking fray with a new service that uses its 280 million e-mail subscribers' contact lists to create a base for sharing information on the Web, The Washington Post reports. Users will be able to exchange such information as comments and photographs, but their contacts will not be shared publicly, the report states. In an effort to address privacy concerns, the company has said it will give users a week's notice before launching the new features and will also provide a simple one-click function for opting out entirely. "We've been watching and trying to be thoughtful about our approach," said Anne Toth, Yahoo's head of privacy. (Registration may be required to access this story.)
Full Story

DATA LOSS—CANADA

UHN Laptop Stolen; Patient Data Accessible (June 1, 2010)

University Health Network (UHN) has informed patients and the privacy commissioner that a laptop containing the personal health information of about 20,000 surgical patients was stolen from an employee's car. A UHN press release states that the laptop's encryption had failed, making accessible names, types of surgeries and, in some cases, phone numbers of surgical patients who used the hospital system between 2004 and 2010. UHN has deemed that the laptop was likely stolen for its resale value, not for the data it contains and that the risk for misuse of the data is low. The system will send letters to patients whose phone numbers are on the laptop and will review its procedures and intensify employee education.
Full Story

ONLINE PRIVACY

New Companies Bank on Privacy (June 1, 2010)

In the wake of recent backlash against Facebook and Google over their handling of user information, The San Francisco Chronicle reports that "a slate of ambitious online startups are aiming to squeeze into the fields of social networking and search by touting a stronger focus on privacy." In such privacy-focused social networking projects as Diaspora, Appleseed and OneSocialWeb as well as search engines like Yauba, Ixquick and Duck Duck, a strong focus on privacy is included as part of the package, the report states. And while market analysts do not see privacy as the sole factor to draw users from one service to another, Ryan Calo, whose company reviews Web applications based on privacy, security and openness, believes companies have begun to use privacy as a business differentiator.
Full Story