Canada Dashboard Digest

Are you sick of hearing about Heartbleed? If you are, you may want to skip some of the stories profiled in this week’s Dashboard Digest. If, however, you are like me, you might still be confused by the array of stories about the technical vulnerability, how it works and what damage it might have caused. I had to do a fair amount of self-study this week to prepare for an on-air interview with the CBC, and I must admit that the more I read about it, the more questions I had.

One thing is for sure: We work in an increasingly dynamic industry where things change faster than ever. What was once considered secure is actually not. Safeguards that you thought were good enough, aren't. I suppose that’s all the more reason the privacy professional needs tools like the Dashboard Digest—to try and stay on top of what’s going on.

With respect to the Heartbleed saga, we felt that you deserved even more opportunity to learn about it, so we have added a session to this year’s Symposium that promises to educate privacy professionals on exactly what they need to know about the vulnerability. I hope you can make it to Toronto if you're keen to learn more.

Somewhat overshadowed by Heartbleed were two rather significant decisions from Commissioners Denham and Cavoukian. Read on to learn more because these, too, are important events. 

Have a great weekend, and happy (Easter egg) hunting!

Kris Klein
Managing Director
IAPP Canada

Top Canadian Privacy News

TRAVELLERS’ PRIVACY

Is Bill C-42 Going Too Far? (December 23, 2010)

In the years since the 9/11 terrorist attacks, Canadians have significantly tightened airline security with laws, security cameras and full-body scanners. Now a bill is on the table that would give the U.S. access to passenger data on U.S. overflights, reports the Toronto Star. Bill C-42 would give the U.S. government the personal information needed to ban travellers based on its no-fly list and has some wondering if the Canadian government has failed to protect citizens' privacy. Sukanya Pillay of the Canadian Civil Liberties Association said the government must balance citizens' safety with their privacy rights, while Privacy Commissioner Jennifer Stoddart called the bill "deceptively simple," calling out privacy and sovereignty issues.
Full Story

PRIVACY LAW

Company Reaches Telemarketing Violation Settlement (December 23, 2010)

The Canadian Radio-television and Telecommunications Commission (CRTC) announced this week that it has reached a settlement with Bell Canada regarding the company's unauthorized telemarketing practices, Canada NewsWire reports. The company will pay a $1.3 million penalty after an independent third party it hired called consumers registered on the National Do Not Call List or who should have been on Bell Canada's internal list. CRTC's chief telecommunications enforcement officer said, "All telemarketers must respect the wishes of Canadians who have registered their telephone number on the National DNCL or requested that a telemarketer include their number on its internal do not call list."
Full Story

RFID

W. Kelowna Looks at Cost, Privacy in Trash Bin Program (December 23, 2010)

West Kelowna may opt out of a regional RFID waste monitoring program citing privacy concerns, but regional officials say the town would then need to make other arrangements for inspecting trash at their own expense, reports the Kelowna Capital News. The new system aims to identify and penalize people who dispose of contaminants with their yard waste materials by linking trash bins to addresses. West Kelowna Councilwoman Carol Zanon voiced concerns about an agency snooping into people's garbage, among others, saying, "there's a time when you have to take a stand on people's rights to privacy." Meanwhile, the mayor worries about the possibility of people planting materials in their neighbors' bins.
Full Story

CHILDREN’S PRIVACY

Kids Should Limit “Dear Santa” Letter PII (December 23, 2010)

The Edmonton Journal reports on a U.S. advertising regulator's warning of the potential dangers to children lurking on "Dear Santa" Web sites. More than 60 Internet domains have registered using the Santa Claus name so kids can send wish lists, but the U.S. Children's Advertising Review Unit (CARU) warns that parents should check each site's privacy policy before allowing their child to hit "submit." Policies should include information on how personally identifiable information will be used and retained and whether or not third parties will have access to it. CARU spokeswoman Angela Tiffin says kids should avoid including phone numbers, addresses and schools. After all, "Santa already knows where all the children live," she said.
Full Story

ONLINE PRIVACY

Commissioner: You Can Outsmart Your Smartphone (December 23, 2010)

While enjoying that new smartphone this holiday season, don't forget it does have an impact on your personal information. That's the message being shared by Privacy Commissioner Jennifer Stoddart, who cautions, "A fully-loaded smartphone is like carrying around a tiny little communications satellite...It's constantly sending and receiving data about your activities and your whereabouts. But where is the data going? What is it saying about you? And what is the effect on your privacy?" The Office of the Privacy Commissioner highlights tips on how to use a smartphone's many features while being aware of apps' varied privacy policies and practices.
Full Story

ONLINE PRIVACY

EFF Co-Founder on Privacy in the Internet Age (December 22, 2010)

On the heels of recent privacy efforts by the U.S. Federal Trade Commission, Commerce Department and technology companies from across the globe, the BBC has published a dialogue with Electronic Frontier Foundation (EFF) Co-founder John Perry Barlow on changes to privacy in this online age and the battle between what governments and organizations know about individuals. Perry Barlow also weighs in with thoughts on how several global corporations do business with regard to privacy and transparency. Individual privacy is eroding, he suggests, adding that it is not "safe to have a world where the individual has no privacy and the institutions go on being private."
Full Story

PRIVACY LAW—CANADA

Damages Awarded in Erroneous Credit Check Case (December 21, 2010)

TransUnion of Canada will pay $5,000 in damages to a Calgary man whose loan application was turned down after another person's credit history was wrongly passed on to the bank, the Toronto Star reports. Mirza Nammo is the first plaintiff to be awarded damages for a breach of the federal privacy act. Federal Court Justice Russel Zinn found the payback was warranted because of repeated failures by the credit reporting agency to correct the "grossly inaccurate" information quickly and effectively, the report states. Zinn compared a credit check to a strip search, saying it can be "equally intrusive, embarrassing and humiliating."
Full Story

PERSONAL PRIVACY

Study: Education Lacking on Smart Meters (December 21, 2010)

When it comes to smart meters, consumers are not being adequately informed about their capabilities and the way they will affect privacy. That's according to a new Ponemon study, "Perceptions about Privacy on the Smart Grid," which polled 509 U.S.-based adults and found that 54 percent of those surveyed did not receive information about or know they had a smart meter until after installation. Smart meters will measure home energy usage, in some cases down to the appliance level. The privacy concerns consumers noted were misuse of personal information by the government (53 percent) and failure to protect personal information.
Full Story

ONLINE PRIVACY

Internet Identities Have Nowhere To Hide (December 21, 2010)

In a report for The New York Times, Jenna Wortham retells a personal experience where a stranger tracked her online using her various Internet profiles to ask the question, "As digital identities become increasingly persistent across the Web, is it still possible to reinvent oneself online?" As one expert points out in the report, "As we casually go about our business, we are leaking all kinds of data that someone can piece back together." The report looks at entrepreneurs trying to build "some layers of anonymity back into the Web" and suggests the possibility that "the demands of a digital lifestyle have set a larger cultural transition into motion." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Some Apps Are Watching You (December 20, 2010)

Your smartphone may be intelligent--knowing all about your contacts, locations and other information--but it is not good about keeping that knowledge to itself. That's according to a report in The Wall Street Journal that found about half of smartphone apps studied share users' personal information "widely and regularly." The investigation determined that apps share such information as unique IDs, phone location and even gender or other personal details without users' knowledge or consent, the report states. "In the world of mobile, there is no anonymity," a Mobile Marketing Association spokesman said, noting that when it comes to a smartphone, it is "always with us. It's always on." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Navigating Permission Requirements Across Borders (December 20, 2010)

"Privacy and data protection have been major talking points throughout 2010," The Next Web reports in a review of data protection issues of the past year and the ongoing struggles of aligning privacy and permission with regulations that vary from state to state, nation to nation and continent to continent. The report looks at differences in privacy regulation from the U.S. to the EU and beyond. For social networks and online companies, one of the key challenges is "there is no global privacy law," and even with privacy policies "already longer than the U.S. Constitution," the report questions, can such sites "cater to the hundreds of different laws across the lands?"
Full Story

PRIVACY LAW

Nova Scotia Passes Health Privacy Legislation (December 17, 2010)

Lawmakers in Nova Scotia have passed legislation to protect personal health records, the Winnipeg Free Press reports. Journalists have criticized the legislation, saying that it will restrict the work they do and will make reporters vulnerable to its penalties. But NDP Health Minister Maureen MacDonald says the intent of the law is to protect privacy not restrict reporting. "It isn't intended to prevent journalists from doing their work," MacDonald said. Liberal health critic Diana Whalen said she agrees that the wording poses a risk to journalists, the report states, but she voted for the bill despite this because of the importance of protecting health information.
Full Story

PRIVACY LAW

Opinion: Turn Your Attention to Bills C-28 and C29 (December 17, 2010)

New bills making their way through the legislative process deserve the attention of information technology lawyers, The Toronto Sun reports. Bill C-28, the Fighting Internet and Wireless Spam Act, contains significant penalties for non-compliance, therefore, "we need to take a close look at this act before it takes effect to understand what it will mean for a typical business or organization," the report  states. Bill C-29, which would amend the Personal Information Protection and Electronic Documents Act, contains language that "could use clarification," writes David Canton, who also discusses a copyright bill and a bill that would give law enforcement more access to electronic communications.  
Full Story

TRAVELLERS’ PRIVACY

Opinion: Border Plan Means More Data Collection (December 17, 2010)

A flurry of articles have been published this week concerning a border security agreement being developed between the Canadian and U.S. governments. "One of the obvious concerns is privacy and the sharing of Canadian information with the U.S. Department of Homeland Security," says a Calgary Herald editorial. The "Beyond the Border: A Shared Vision for Perimeter Security and Competitiveness" deal is expected to be signed by Canadian Prime Minister Stephen Harper and U.S. President Barack Obama in January. A Toronto Star editorial says that under the deal "considerably more personal information would be collected on Canadian citizens for handover to U.S. security agencies."
Full Story

DATA THEFT

Feds Find Common Link in McDonald’s Data Theft (December 16, 2010)

More details have emerged in the theft of McDonald's customer data. The Register reports that U.S. Federal Bureau of Investigation (FBI) agents are looking into similar events that may have originated with a marketing services provider based in Atlanta, GA. FBI special agent Stephen Emmett said, "The breach is with Silverpop (Systems), an e-mail service provider that has over 105 customers." Emmett added that the breach "appears to be emanating from an overseas location."
Full Story

PRIVACY LAW—U.S.

Commerce Report Calls for Privacy Office, Federal Breach Notification Standard (December 16, 2010)
The Commerce Department released its online privacy green paper today, National Journal reports. The report calls for the creation of a Commerce Department privacy office and recommends a federal data breach notification law that would preempt state laws. "A comprehensive national approach to commercial data breach would provide clarity to individuals regarding the protection of their information throughout the United States, streamline industry compliance and allow businesses to develop a strong, nationwide data management strategy," the report states. The paper also recommends the development of Fair Information Practice Principles. The department is soliciting comments on the paper.

PRIVACY LAW—CANADA

Stoddart Discusses Career (December 14, 2010)

The Globe and Mail recently sat down with Privacy Commissioner Jennifer Stoddart to discuss her career, her interest in the rights of women and the investigation she conducted as privacy commissioner that captured the attention of companies and regulators worldwide. Stoddart will continue in her role for another three years after being reappointed by Prime Minister Stephen Harper last week. She told The Globe and Mail the Internet privacy battle "is not over yet, because it is such a fast-changing world." The report suggests that Stoddart might seek greater enforcement powers for the Office of the Privacy Commissioner.
Full Story

DATA LOSS—CANADA

Veteran’s Medical File Contains Data of Others (December 13, 2010)

A Navy veteran reviewing his medical file was surprised to find that its contents included sensitive personal information about other military personnel, the Canadian Press reports. The Department of Defence is investigating. "It's just ridiculous that all this information is misfiled, that I have all these guys' information," said Wayne Finn of Nova Scotia, adding "I shouldn't have it." NDP veterans affairs critic Peter Stoffer has asked for federal Privacy Commissioner Jennifer Stoddart's input on the issue. The news comes weeks after the Canadian government settled with another veteran on charges that it improperly shared his information among bureaucrats.
Full Story

PRIVACY LAW

Border Plan Expected To Raise Privacy Concerns (December 10, 2010)

The government is expecting a privacy backlash over a border security agreement it is negotiating with the U.S., The Globe and Mail reports. Officials believe the security declaration, which is expected to be unveiled in January, will have Privacy Commissioner Jennifer Stoddart as one of its strongest critics, the report states. "Greater information sharing is part of the initiative. The safeguarding of privacy and sovereignty will be of concern for Canadians," according to a communications document on the security agreement. The document suggests the privacy commissioner will "raise concerns re: information sharing and protecting private information" and anticipates criticism from civil rights groups.
Full Story

DATA LOSS

Unencrypted Devices Lost, Records Compromised (December 10, 2010)

CBC reports on the loss or theft of seven laptops and digital devices in Alberta during the past month that contained unencrypted health, employee and financial information. The devices include a laptop containing medical charts belonging to 2,700 pediatric gastroenterology patients, a digital recorder containing statements about wildlife investigations, a stolen laptop with contact information on junior forest rangers and employee evaluations and another laptop containing mortgage applications and other personal information. "I think that's just utterly irresponsible now in this day and age," Alberta Privacy Commissioner Frank Work said of the incidents. "You have a responsibility to your patients, your clients, your employees to encrypt their information when you're carrying it around with you. And the law says you have to do that."
Full Story

PRIVACY LAW

Experts: Bill Must Go Further (December 10, 2010)

Privacy experts are recommending that proposed legislation to compel Canadian businesses to disclose when they lose customer data include federal fines, itbusiness.ca reports. Bill C-29 seeks reforms to the Personal Information Protection and Electronic Documents Act, including a notification requirement that "any material breach of security safeguards involving personal information" be reported to the Office of the Privacy Commissioner (OPC), and, if there is a potential risk of "significant harm to any individuals," to those individuals as well. Privacy experts suggest another step. As Michael Geist put it, "It's quite clear we need to have real penalties so part of that risk assessment is the real costs associated with it."
Full Story

HEALTHCARE PRIVACY

Breach Shows Stricter Rules Are Needed (December 10, 2010)

Saskatchewan Information and Privacy Commissioner Gary Dickson is calling for tighter rules for faxing medical documents after a privacy breach last year where a change in a company's fax number resulted in 60 faxes containing private health information reaching the wrong recipients, CBC reports. He noted that "current policies and procedures do not address the issues that caused these breaches, and therefore are not likely to prevent a reoccurrence in the future." In general, he said, he is "underwhelmed" with what healthcare organizations have done to address potential fax problems, noting they must tighten the rules for sending faxes to avoid such breaches in the future.
Full Story

ONLINE PRIVACY

Opinion: In the Cloud, Location Matters (December 10, 2010)

Michael Geist writes for the Toronto Star on the recent Wikileaks scandal as an example of how "location matters when it comes to cloud computing." Noting some of the advantages of cloud computing, Geist writes, "some consumers and business executives remain wary of the privacy and security implications of storing personal information in unseen computer server farms" and highlights the work of such Canadian leaders as Privacy Commissioner Jennifer Stoddart and Ontario Information and Privacy Commissioner Ann Cavoukian as being "ahead of the curve on the issue with reports on the privacy implications of cloud computing" that indicate "Canadian privacy law framework is applicable regardless of the technology, importing accountability requirements to cloud providers."
Full Story

HEALTHCARE PRIVACY

Health Regions Shy Away from Privacy Rule Change (December 10, 2010)

Saskatchewan government officials are admitting they may have underestimated public reaction to a change in privacy rules for hospital fundraising, the Winnipeg Free Press reports. A change that allows health regions to share patients' names and addresses with hospital foundations that raise money has prompted more than half of the province's health regions to opt out of the plan due to a public outcry over privacy concerns, the report states. Privacy Commissioner Gary Dickson had shared concerns about the plan when it was announced in April. In noting that half of the health regions are backing out, he described a "groundswell of opposition" from individuals concerned about the plan.
Full Story

TRAVELERS’ PRIVACY—CANADA

Commissioner Launches Air Travel Audit (December 9, 2010)

The Vancouver Sun reports on the Office of the Privacy Commissioner's air travel security audit focusing on the government agency in charge of passenger screening. The aim of the review is to determine whether the Canadian Air Transport Security Authority is following through on promises made to minimize privacy intrusions of new airport scanners, the report states. "We want to go back and see what's happening a year later--if the commitments made by the government have been followed up," Privacy Commissioner Jennifer Stoddart said. The audit, which is expected to be published next fall, will also look at the use of other technology, such as airport surveillance cameras.
Full Story

PRIVACY—CANADA

Commissioner’s Reappointment Confirmed (December 9, 2010)

Prime Minister Stephen Harper has announced the reappointment of Privacy Commissioner Jennifer Stoddart for a three-year term, effective immediately. The reappointment was recently approved by parliament, according to an announcement from the Office of the Prime Minister. When he nominated Stoddart for an additional term in November, Harper described her as bringing "considerable expertise in privacy protection issues and a deep understanding of the importance of open and transparent government." Stoddart will continue in the post she has held since December 2003, overseeing compliance with the Privacy Act and the Personal Information Protection and Electronic Documents Act. 
Full Story

ONLINE PRIVACY

Study: Popular Sites “Sniffing” Web Histories (December 7, 2010)

While a recent lawsuit accuses an adult Web site of computer fraud for allegedly "history sniffing" its users' Web activity, researchers at the University of California, San Diego, are spotlighting the use of "history sniffing" to track user activity online, eWeek reports. In an analysis of 50,000 popular Web sites, the researchers found that 485 "are capable of inferring browser history data, 63 of which are transferring that data to their network. In addition, 46 sites were actively participating in history sniffing," the report states. One of the report's authors suggests that "the bigger surprise was that there is an entire industry that has grown around this practice--behavioral analytics."
Full Story

ONLINE PRIVACY

Data Miners To Tell Customers What They Know (December 3, 2010)

A group of online tracking companies is building a service set to launch in January that will let consumers see what they know about them, The Wall Street Journal reports. The Open Data Partnership "is the first of its kind in the fast-growing business of tracking Internet users and selling personal details about their lives," the report states, and "will allow consumers to edit the interests, demographics and other profile information collected about them" or choose not to be tracked at all. "The government has told us that we have to do better as an industry to be more transparent and give consumers more control," said a spokesman for the initiative. "This is a huge step in that direction." (Registration may be required to access this story.)
Full Story

PRIVACY

Stoddart Discusses Social Network, Privacy Challenges (December 3, 2010)

In a Q and A with SC Magazine Canada, Privacy Commissioner Jennifer Stoddart discusses her annual report and such key privacy issues as improved Office of the Privacy Commissioner (OPC) dealings with Facebook, anti-spam legislation, use of new technologies and "much needed rejuvenation" of the Privacy Act. Separately, Facebook Canada Managing Director Jordan Banks has suggested that while consumers expect to receive targeted online marketing, "Everything we do, we look through the lens of privacy" and praised the OPC for "great insights" into privacy and the Web. "Facebook now has good legal representation here in Canada, which facilitates our dialogue," Stoddart said in the interview.
Full Story

PRIVACY

Opinion: Stoddart Reappointment the Right Move (December 3, 2010)

In an editorial, the Ottawa Citizen offers support for the prime minister's decision to nominate Privacy Commissioner Jennifer Stoddart for reappointment. "Seven years ago, she took over an office in disarray," the editorial states, "and turned it into an internationally recognized storehouse of expertise...There's an urgency to every matter she takes on, because when an individual's privacy is under threat, a remedy delayed is a remedy denied." The editorial highlights Stoddart's work as commissioner, noting that she "is particularly suited for this age, when new kinds of cooperation between states, new global business models and new territories in cyberspace are forcing privacy advocates to keep one step ahead."
Full Story

HEALTHCARE PRIVACY

Cavoukian: Rules Will Protect Records (December 3, 2010)

Ontario Information and Privacy Commissioner Ann Cavoukian believes rules protecting patient records will keep them from being vulnerable if London hospitals move toward a deal with a U.S. software giant, the London Free Press reports. When it comes to patient information, she said, "You can outsource services, but you cannot outsource accountability." Cavoukian said that for health information, Ontario has "perhaps the best privacy law on the planet...We don't take these things lightly."
Full Story

PRIVACY LAW

Work: Credit Checks Broke Law (December 3, 2010)

Alberta Privacy Commissioner Frank Work has found that Alberta Justice broke the province's privacy laws and the Maintenance Enforcement Program (MEP) violated the Freedom of Information and Protection of Privacy Act after running unauthorized credit checks on 25 MEP employees, the Edmonton Sun reports. Work said the department has agreed an error was made, and he is satisfied the proper steps have been taken to prevent it from happening again, the report states. The investigation was launched when employees with the MEP lodged complaints about unauthorized credit checks that were part of a 2009 internal investigation involving forged checks.
Full Story

PRIVACY LAW

Opinion: Proposed Laws Threaten Privacy (December 3, 2010)

In a piece for The Vancouver Sun, Kashif Ahmed and Eric Miller argue that proposed legislation has "onerous implications for privacy rights and civil liberties," citing the Improving Access to Investigative Tools for Serious Crimes Act, Investigative Powers for the 21st Century Act and an act regulating telecommunications to support investigations. The issue, the authors contend, is the proposed laws "require service providers to disclose their subscribers' name, address, contact data, IP address and other details used to identify individuals and track their every method of communication." Kashif and Miller write, "the new bills demonstrate an erosion of civil rights and provide no greater procedural protections for the privacy rights of Canadians."
Full Story

TRAVELLERS’ PRIVACY

Balancing Security with Privacy Has Its Complications (December 3, 2010)

MACLEANS reports on the continuing debate about how to balance privacy with increased security measures at airports. Experts argue that neither the U.S. nor Canada has yet struck the right balance, the report states, because of the massive amount of data collected on travellers via body scanners, travel history checks and arrest records. Canada's ability to balance security and privacy is hampered, also, by information agreements with the U.S. and the fact that the federal privacy commissioner remains "a player on the peripheries of the national security debate in Canada," states a Canadian security expert's report.
Full Story

DATA LOSS

Medical Records Found on City Street (December 3, 2010)

Two city parking enforcement officers found hundreds of medical papers in a St. John's parking lot last week. The Telegram reports that the records included patients' procedure information, doctor-to-doctor correspondence, ultrasound photos and a recording device. The officers collected the documents and called the police, who returned them to the rightful owner. According to an RNC spokeswoman, the owner of the records--a physician--reported a vehicle burglary. Eastern Health was informed of the breach and began an internal investigation. "At this time, we can confirm that the majority of the documents were not the property of Eastern Health," said a spokeswoman.
Full Story

PRIVACY LAW

Courts Set High Bar for Damage Awards (December 3, 2010)

Those seeking privacy-related damages are finding that Canadian courts have set the bar high. Writing for the Toronto Star, Michael Geist highlights two recent Federal Court decisions that "arrived at the same conclusion--personal privacy is not worth much when it comes to actual compensation for privacy breaches or abuses." Although in both cases the privacy commissioner and the courts agreed that complainants' privacy rights had been violated, damages were refused. Geist writes, "While the desire to limit damage awards to serious privacy breaches is understandable, the evolving case law may have the unintended consequence of diminishing respect for privacy compliance."
Full Story

PRIVACY LAW

Opinion: Who’s Watching Your Smart Meter? (December 3, 2010)

The Supreme Court of Canada has ruled that the use of electricity-consumption data obtained from a power supplier without a search warrant did not constitute a violation of privacy. In an opinion piece for the Toronto Sun, Alan Shanoff asks whether there is a reasonable expectation of privacy in relation to the consumption data, noting the seven judges who determined there was not "came to this conclusion in an odd fashion" that could easily have gone another way. "What I really worry about," he writes, "is who has access to smart meter data and what personal information can be gleaned from that data."
Full Story

ONLINE PRIVACY—U.S.

U.S. FTC Releases Privacy Report (December 3, 2010)

The U.S. Federal Trade Commission has released its long-anticipated staff report on consumer privacy, The New Zealand Herald reports. The report, "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers," released Wednesday, includes preliminary recommendations. It calls for increased transparency and simplified consumer choice and endorses the creation of a do-not-track mechanism that would let consumers opt out of targeted advertising and data collection. FTC Chairman Jon Leibowitz said the report makes recommendations for best practices and is "not a template for enforcement." Early reaction to the report runs the gamut--from praise to rejection to additional questions, according to a Wall Street Journal report. The FTC will accept comments on the report through January 31, 2011.
Full Story