Canada Dashboard Digest

Many will have already heard the relatively big news this week: A new bill, S-4, was introduced in the Senate that will amend PIPEDA if it passes. I'm surprised it didn't actually get more news considering the fanfare when the government tabled it.

There is some skepticism about whether or not the government is serious this time around because it has introduced somewhat similar bills in the past only to let them die a slow and painful death. This new bill was introduced in the Senate, and some are speculating that this may have been done to try and get the bill passed quickly.

For sure, these amendments are a long time coming. Many of them are what I call “common-sense fixes." For example, getting the English and French versions of the law to jive with one another a bit better. Other more meaningful fixes are those that mirror the Alberta and British Columbia provisions dealing with employee personal information and business transactions.

The folks at the OPC are probably happy with the proposed amendments that will allow them to enter into compliance agreements with organizations. Essentially, these agreements will allow the OPC to monitor organizations for up to a year after the completion of an investigation to ensure that all recommendations are satisfactorily implemented.

Lastly, I think the codification of a breach notification scheme is a good thing, too. I don’t think this new scheme will have a significant impact because previous guidance from the federal commissioner has been clear that they expect notification to take place even without the codification in the law. So, I think most organizations have already been operating with this scheme in mind. But, getting clarity in any law is always a good thing, so I suppose it is in this case, too.

As far as the “new penalties” go, I again don’t think there’s too much to worry about. Before any penalty could be levied, a matter would have to be referred for criminal prosecution—something that probably won’t happen except in the most egregious cases. This is a far cry from the administrative monetary penalties that can be levied in some European jurisdictions directly by the data protection authority.

So, all in all, pretty good news for privacy in Canada—for some—this week. And when we also read that CRA employees were fired for privacy violations, perhaps privacy is something this government is realizing is a priority issue that people care about.

Kris Klein
Managing Director
IAPP Canada

Top Canadian Privacy News

PRIVACY LAW—CANADA

Toews Unmoved by Letter (October 28, 2011)

Postmedia News reports that Public Safety Minister Vic Toews is unmoved by the federal privacy commissioner's urgings to consider the effect potential lawful access legislation would have on the privacy rights of Canadians. In a public letter to Toews this week, Commissioner Jennifer Stoddart outlined several concerns about the legislation, saying that "Read together, the provisions of the lawful access bills from the last session of Parliament (C-50, C-51 and C-52) would have had a significant impact on our privacy rights." Stoddart added that "the government has not convincingly demonstrated that there are no less privacy-invasive alternatives available to achieve its stated purpose."     
Full Story

EMPLOYEE PRIVACY

Drivers’ Union Investigating Covert Cameras (October 28, 2011)

After discovering hidden cameras inside approximately 14 metro buses, Vancouver bus drivers and the Canadian Auto Workers Union 111 are seeking legal advice as to whether Coast Mountain Bus Company breached the drivers' privacy, the Vancouver Sun reports. Cameras were originally installed to provide security and protection for drivers, but the second "hidden" lens was reportedly never disclosed. A union representative said, "The greatest damage that has been done is to the employees in terms of mistrust...It's not a good feeling to find out the company installed secret cameras." The company has said the cameras were supposed to have been removed and has apologized to its 3,500 drivers.
Full Story

INFORMATION ACCESS

FOI, Gun Registry Up For Debate (October 28, 2011)

Presenting arguments before the Newfoundland and Labrador Supreme Court, lawyers attempted to determine what role the information and privacy commissioner has in cases involving access to information requests, The Telegram reports. The case revolves around a media request for a government official's e-mail over a five-day period. The judge said he needs time to decide the case. Meanwhile, British Columbia Information and Privacy Commissioner Elizabeth Denham says she's "deeply troubled" by a reported loophole that allows taxpayer-funded educational institutions the choice of whether to disclose the use of that money to the public. Denham has said the government should amend the Freedom of Information and Protection of Privacy Act to fix the problem. Additionally, Federal Information Commissioner Suzanne Legault says she will review proposed legislation that would destroy gun registry records.
Full Story

EMPLOYEE PRIVACY

Privacy Commissioner Releases Hiring Guidelines (October 28, 2011)

To ensure employers are familiar with British Columbia's Personal Information Protection Act, the province's privacy commissioner has released guidelines for the time when the majority of personal information is transmitted--the hiring process, Kelowna Capital News reports. The guidelines include advice on what to do with unsolicited resumes, employer information requests and reference and background checks. The commissioner also recently published guidelines on conducting background checks via social media websites.
Full Story

PERSONAL PRIVACY

Opinion: Users Lack Control of Personal Data (October 28, 2011)

Noting that "the tools to control our digital privacy and protect valuable personal data are not in our hands," Calgary Herald columnist Lee Rickwood adds that "the idea of designing privacy controls into digital products or online services is at the very least an appropriate consideration." With existing tracking technologies that follow users who are not logged in, "Users should not have to 'go deep' into a computer program or Internet activity log to find out about online tracking tools used by a given site or its third-party partners." Topics such as these were discussed by Alberta Information and Privacy Commissioner Frank Work and British Columbia Privacy Commissioner Elizabeth Denham at a recent conference.
Full Story

ONLINE PRIVACY

Opinion: Web 3.0 Is Underway (October 28, 2011)

In a column for the Toronto Star, John Terauds writes about what the industry is calling Web 3.0, which is "how to best take advantage of the billions of pieces of data about how we live, work, love and shop that are being generated by social media." A representative from the World Wide Web Consortium said, "We're about to see a new arms race between consumer protection versus those companies that want to lure people into something." Terauds opines that as the barriers between marketing and personal life break down, "we and our children leave a trail of electronic breadcrumbs that can be picked up by anyone who has the means to grab and analyze that data on social media sites."
Full Story

SOCIAL NETWORKING

Privacy Concerns Go Global (October 28, 2011)

Human Resource Executive Online reports that just as social media use has become a worldwide phenomenon, "so too has concern over privacy breaches and potential employment-related litigation." The report highlights examples from across the globe--including 99,000 discrimination allegations filed with the U.S. Equal Employment Opportunity Commission last year; the view in many European countries that electronic data is owned by the data subject; varied privacy laws from country to country, and the impact of cultural differences. Despite such differences, the report states, "there are good reasons for parameters, particularly in industries and sectors where personal information breaches could threaten an organization's credibility or survival."
Full Story

BEHAVIORAL TARGETING

Credit Card Companies Look Into OBA (October 26, 2011)
The Wall Street Journal reports on plans by the world's two largest credit card networks to move into the online behavioral advertising business. Though the technology to link purchase transactions with an individual's online profile is still evolving, according to the report, Visa and Mastercard are currently pursuing the idea. The article cites a published Visa patent application that would attempt to incorporate information from DNA data banks into profiles that would target consumers online. Meanwhile, a representative from Mastercard said in an interview in August, "There is a lot of data out there, but there is not a lot of data based on actual purchase transactions...We are taking it a level deeper...it is a much more precise targeting mechanism." (Registration may be required to access this story.)

DATA PROTECTION

Study Delves Into the Stress of the Job (October 26, 2011)

A survey commissioned by data protection company Websense shows that while many IT managers feel their jobs depend on keeping company data secure, 91 percent said new levels of management are engaging in data security conversations. Systems & Networks Security reports the study polled 1,000 IT managers and 1,000 non-IT employees in Canada, Australia, the U.S. and the UK about security threats, and 86 percent of respondents said their job would be at risk if a security incident occurred, while 72 percent called protecting company data more stressful than getting a divorce. Meanwhile, "When asked about real-time protection solutions in place, many respondents listed product and vendor names that don't offer real-time protection at all," said a Websense spokesman.
Full Story

ONLINE PRIVACY

Researcher Says Skypers Are Vulnerable (October 25, 2011)

A researcher from New York University (NYU) will present findings in Berlin next week asserting that Skype may allow strangers access to users' contact details. "If you have Skype running in your laptop, then I or any other attacker can inconspicuously call you, obtain your current IP address and your current location without you ever knowing about it," says NYU's Keith Ross, a professor of computer science. A high school-aged hacker would be capable of such an act, Ross says, adding that the hacker could scale the operation to track thousands of users. Skype's chief information security officer says determining other users' IP addresses is possible with typical Internet communications software, not just Skype's. 
Full Story

SOCIAL NETWORKING

DPC Investigating “Shadow Profiles” and Data Logs (October 24, 2011)

The Irish Data Protection Commissioner (DPC) is investigating complaints against Facebook for its data collection practices. Fox News reports on one allegation that the site encourages members to offer information on nonmembers and uses it to create "extensive profiles." The Wall Street Journal reports that another complaint claims Facebook held information on an Austrian student which appeared to have been deleted from his account. The data included rejected friend requests, untagged photos of the student and logs of all his chats. Facebook denies both claims. A company spokeswoman said "the assertion that Facebook is doing some sort of nefarious profiling is simply wrong," adding that its messaging service works the way "every message service ever invented works." (Registration may be required to access this story.)
Full Story

INFORMATION ACCESS

Commissioner Finds No Wrongdoing, Draws Criticism (October 21, 2011)

Alberta Information and Privacy Commissioner Frank Work announced Tuesday that an investigation into former minister Ted Morton's use of a secondary e-mail address found no evidence of wrongdoing, the Edmonton Journal reports. In a press release, Work said that the use of the secondary e-mail address was not an attempt "to circumvent" the Freedom of Information and Protection of Privacy Act. However, some are criticizing the investigation because Work and his office did not interview Morton directly. Politician Laurie Blakeman said, "I think what we are seeing here is the freedom of information and protection of privacy information legislation in Alberta is, there's no question, slanted toward the government being able to hang onto the information." Work has since said that he didn't see a need to interview Morton.
Full Story

PRIVACY LAW

Opinion: BC Bill Could Threaten Privacy (October 21, 2011)

In a column for the Victoria Times Colonist, Vincent Gogolek opines about a bill before the British Columbia legislature that could "radically increase" the government's "power to collect, use and share" citizens' personal information. Introduced October 4, Bill 3 "eliminates many of the privacy protections in the Freedom of Information and Protection of Privacy Act." Proposed amendments include making it easier for the government to share personal information with "partner" organizations and other governments--such as the U.S. Department of Homeland Security. Gogolek writes that officials are "definitely not talking to British Columbians about how, when, why and with whom the government will be sharing some of our most intimate information."
Full Story

DATA PROTECTION

OPC Launches “Small Business Week” (October 21, 2011)

The Office of the Privacy Commissioner of Canada (OPC) has made this week "Small Business Week" to educate small businesses on data security and privacy protection best practices. The OPC has also created a new section on its website providing small businesses access to online tools to help measure their data protection and security. Additionally, a series of articles will be published to increase awareness of common cybersecurity threats. Privacy Commissioner Jennifer Stoddart said, "Privacy goes hand-in-hand with trust and, for any business, trust goes hand-in-hand with customer loyalty and client confidence."
Full Story

INFORMATION ACCESS

Agencies in Legal Battle with Information Commissioner (October 21, 2011)

Officials on the Commons Access to Information, Privacy and Ethics Committee are looking into a court battle between the Canadian Broadcasting Corporation (CBC) and Information Commissioner Suzanne Legault, the Ottawa Citizen reports. Citing the Access to Information Act, the CBC will not disclose certain information to the commissioner because it relates to journalism. The Federal Court has ruled that Legault can view the documents, but the CBC has appealed the ruling, the report states. MP Dean Del Mastro said, "my concern is that we have a public entity, the CBC, in court against the information commissioner of the House spending millions of dollars fighting each other." 
Full Story

DATA PROTECTION—U.S. & CANADA

Regulators Urge Business Leaders To Limit Data Collection (October 19, 2011)

Speaking at a conference in San Francisco, U.S. and Canadian regulators warned entrepreneurs and business leaders of the dangers of collecting unnecessary data from customers, InformationWeek reports. FTC Bureau of Consumer Affairs Director David Vladek said that businesses should only collect information they need and not retain it longer than is necessary, adding, "It's an albatross that can come back and really bite you." Saying that "privacy is an enabler of innovation" and can provide a competitive advantage, Ontario Information and Privacy Commissioner Ann Cavoukian urged businesses to proactively protect privacy and give consumers control of their data. "Privacy is about control...The individual should control what happens to the information," said Cavoukian.
Full Story

ONLINE PRIVACY

Site Brings New Meaning to “Creepy” Data Use (October 19, 2011)

A new website--used by 300,000 people in its first 24 hours--accesses information from peoples' Facebook accounts to create a personalized horror movie featuring a man browsing through the user's account and "getting increasingly agitated," reports The New York Times. Take This Lollipop's developer, Jason Zada, says creating the site was a fun seasonal project but adds that its popularity may in part be due to peoples' concerns about how their data is being used. "When you see your personal information in an environment where you normally wouldn't, it creates a strong emotional response," Zada said. "It's tied into the fears about privacy and personal info that we have now that we live online." (Registration may be required to access this story.)
Full Story

PERSONAL PRIVACY—CANADA

Coalition Wants Smart Meters Stopped (October 18, 2011)

A citizens' coalition in British Columbia hopes to stop a utility's installation of smart meters in homes across the province, Nanaimo News Bulletin reports. "These BC Hydro smart meters have to go completely," said spokesman Walter McGinnis of the Coalition To Stop Smart Meters. The group wants to stop the mandatory installation of the meters due to privacy, security and other concerns. It plans to launch an appeal under the BC Recall and Initiative Act. BC Hydro Community Relations Manager Ted Olynyk says that meter installations will continue. The utility asserts that the meters use data protection methods similar to those used by banks.
Full Story

PRIVACY LAW

Commissioner: Political Party Breached Act (October 14, 2011)

BC Privacy Commissioner Elizabeth Denham has ruled that the provincial NDP broke the law during its last political race. Last April, the NDP "asked potential candidates to hand over their social media passwords as part of the vetting process," CBC News reports. Most complied with the request; however, one candidate refused, later agreeing to hand over his personal information but not his password. The NDP's actions violated the Privacy Act, Denham says, in its collection of personal information about the candidates and others without their consent. A spokesperson for the NDP said it stopped collecting the password after Denham voiced concerns.
Full Story

DATA LOSS

Cavoukian: Stop Sending Paper Records (October 14, 2011)

Ontario's privacy commissioner has ordered a provincial healthcare provider to stop sending paper records, the Toronto Star reports. The order issued on Thursday follows an investigation into Cancer Care Ontario's loss of personal information on more than 7,000 patients. "Cancer Care Ontario should not have used a courier service to send paper-based records...when other viable, more secure and privacy protective options were available," said Commissioner Ann Cavoukian. The agency's chief privacy officer said, "We accept the recommendations," adding that Cancer Care will be moving to an electronic portal format and will increase staff training, among other steps.
Full Story

ONLINE PRIVACY

Commissioner Shares Insights, Concerns (October 14, 2011)

In an interview with Communitech, Privacy Commissioner Jennifer Stoddart shares insights about online privacy, including the challenges of keeping personal information safe and raising public awareness to potential threats. When asked about key concerns, Stoddart focused on two issues. The first is the need for a paradigm shift so that companies, as she put it, "Innovate for privacy, and if you don't, either in terms of reputational harm or in terms of monetary penalties, it won't be worth your while." Secondly, she said, is the issue of data security, adding that amid many recent reports of breaches, "I think we really have to look at rejigging the incentive system."
Full Story

INFORMATION ACCESS

Police Refuse Record Disclosure (October 14, 2011)

York Regional Police are refusing to release reports on lost or stolen weapons, citing privacy concerns about involved officers' personal information. The force's freedom of information officer says releasing the names of officers who lost weapons or the circumstances in which the weapons were lost can't be released without consent from the officers involved. The Toronto Star requested the data as part of an investigation into lost or stolen weapons in the area. A University of Ottawa professor specializing in access to information and privacy says there is no reason the information should be considered private.      
Full Story

DATA LOSS

Company Suspends 93,000 Online Accounts (October 12, 2011)

Sony announced that it has locked 93,000 online network user accounts because of an unusual amount of sign-in attempts from an unauthorized user, AFP reports. The suspicious activity reportedly took place between October 7 and 10 and verified user IDs and passwords. The company said that the incidents "appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or sources," and "only a small fraction of the 93,000 accounts showed additional activity prior to being locked." Sony is continuing an investigation into the breaches and has notified affected users.
Full Story

FINANCIAL PRIVACY

U.S. Crackdown on Offshore Accounts Raises Concerns (October 7, 2011)

Foreign financial institutions will need to start identifying their American accountholders as part of the U.S. Foreign Account Tax Compliance Act in 2014 (FATCA), and Privacy Commissioner Jennifer Stoddart has warned it could "run afoul" of Canada's privacy laws, The Globe and Mail reports. Referencing a "little-noticed provision" pertaining to derivatives contracts, the report states that FATCA will "require that foreign financial institutions ensure all transactions dated after March 18, 2012, comply with the new rules," and, "Without changes, Americans living in Canada could eventually be denied service by Canadian financial institutions if they balk at providing their U.S. Social Security number or taxpayer ID number, as demanded by the IRS." 
Full Story

INFORMATION ACCESS

Commissioner To Investigate Secondary E-mails (October 7, 2011)

Alberta Information and Privacy Commissioner Frank Work has announced that his office will investigate the use of secondary e-mail accounts by cabinet ministers and revisit the rules and policies that apply to such usage, CBC News reports. Work will release a report once the investigation is complete. According to a news release from Work's office, the investigation is not "an offence or breach investigation...Rather, the commissioner wishes to establish clear guidelines respecting the treatment of ministerial e-mails under the Freedom of Information and Protection of Privacy Act." 
Full Story
 

ONLINE PRIVACY

Gov’t Launches Cybersecurity Awareness Initiative (October 7, 2011)

Citing the myriad threats to online privacy, the federal government has started a public awareness campaign to inform citizens about cybersecurity, The Vancouver Sun reports. The government's initiative--Get Cyber Safe--was introduced by Public Safety Minister Vic Toews and features a website informing individuals about ways to protect their online identity. The campaign also includes calls to government authorities--from provincial to international--to share cybersecurity responsibilities as well as to the private sector to improve online data protection. Toews said, "Our increasing reliance on cyber technologies makes us more vulnerable to those who would attack our digital infrastructure to undermine our national security, economic prosperity and quality of life."
Full Story

PRIVACY LAW

Opinion: Quebec Needs Data Protection Amendment (October 7, 2011)

In the Montreal Gazette, Éloïse Gratton writes that the federal government's reintroduction of amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) includes a business transaction exemption, which--if passed--would put the legislation in line with British Columbia's and Alberta's data protection laws. Gratton notes that if the proposed amendments in Bill C-12 are made into law, then "Quebec will be the only jurisdiction with a data protection law not providing for a business transaction exemption," adding that organizations within Quebec's jurisdiction "will continue to proceed without clear knowledge of the risks involved" in a business transaction that discloses personal information.
Full Story

SOCIAL NETWORKING

Opinion: “Small Changes” Have Big Privacy Impact (October 7, 2011)

In his column for The Globe and Mail, Ivor Tossell writes that while major changes to the world's largest social network "make big headlines...it's the small changes we really need to worry about." Facebook recently rolled out "a tiny change, so small as to seem completely unworthy of note" that makes it more difficult for users to untag themselves from photos, he writes, suggesting, "The tiniest details of design have a huge effect on the way people use technology." Making the process more cumbersome has "tilted the playing field" away from privacy, he writes, and "from all the photos, events, tags and comments, Facebook can piece together a remarkable picture of what you've done where, when and with whom."      
Full Story

PERSONAL PRIVACY

Cavoukian: Web Users Must Have Freedom To Choose Privacy (October 7, 2011)

In a letter to the editor in The Wall Street Journal, Ontario Information and Privacy Commissioner Ann Cavoukian writes that reviewers of a new book by Jeff Jarvis, Public Parts: How Sharing in the Digital Age Improves the Way We Work and Live, have been "seduced by the virtues of 'publicness'" and "generally fail to give appropriate weight to his contrasting observations about the importance of retaining control over one's personal information." Cavoukian writes, "The decision whether or not to share--indeed, the very ability to control that which is shared--must lie with the individual." (Registration may be required to access this story.)
Full Story

PERSONAL PRIVACY

Opinion: iPhone Technology To Change Lives (October 7, 2011)

New iPhone plans will bring highly sophisticated facial recognition technology to millions of users, reports Kit Eaton for Fast Company. The technology will allow for automatic identification of photo subjects, authorization of online payments and potentially perform lip reading. But Eaton wonders if iPhone manufacturer Apple will also use the technologies for advertising efforts. "The ubiquitous use of face IDs and deep integration of social networking into iOS 5 will be bound to cause hand-wringing about the erosion of personal privacy," Eaton writes.  
Full Story

FINANCIAL PRIVACY

Expert: Many Complacent on PCI DSS Compliance (October 6, 2011)

In an interview with BankInfoSecurity.com, Verizon PCI Consulting Services Director Jen Mack says that many organizations are still struggling with the Payment Card Industry Data Security Standard (PCI DSS). In its PCI Compliance Report, Verizon disclosed results of a study of 100 organizations--ranging from Fortune 500s to small businesses--showing that many are complacent about security. "Many take the approach that it's a compliance project versus trying to achieve what I think can be an optimal security posture for the long-term health of the business," says Mack. She also discusses how organizations maintain compliance; why many are complacent with security, and why cardholder data breaches should be a concern for the industry.
Full Story

PRIVACY

Pro Bono Privacy Initiative Brings Expertise to Nonprofits (October 6, 2011)

Amidst a growing need among nonprofits for expertise in the protection of personal information, privacy professionals have come together to form the Pro Bono Privacy Initiative, which is now in its pilot phase. In this Daily Dashboard exclusive, pilot volunteers--who hail from such well-known firms and companies as Baker & McKenzie, Hogan Lovells, Hunton & Williams, Deloitte, Intuit, Verizon and IBM--discuss their hope for this new program. As IBM VP Security Counsel and Chief Privacy Officer Harriet Pearson, CIPP, puts it, "The true sign of a mature profession is when people step back and give back."   
Full Story

PRIVACY LAW—CANADA

BC Legislation Proposes Sweeping Changes (October 5, 2011)

Lawmakers in British Columbia have proposed legislation that would make "significant changes" to its Freedom of Information and Protection of Privacy Act, The Victoria Times Colonist reports. The proposed changes would allow the province to issue CareCard-driver's licenses with a microchip giving citizens access to government services such as electronic health records, voting and school registrations, according to the report. The legislation also includes an opt-out for citizens. One critic warned, "The whole idea of consenting to government services in exchange for your privacy is absurd on its face," while British Columbia Privacy Commissioner Elizabeth Denham said, "This is a step in the right direction, but I think there's still a lot of work to do."
Full Story

DATA PROTECTION

Experts Offer Advice on Legacy IT Systems (October 5, 2011)

Though businesses rolling out new IT systems or collecting new data on their customers are increasingly privacy-conscious, the same is not true for legacy systems, reports Computerworld Canada. Experts including Ontario Privacy Commissioner Ann Cavoukian and Sagi Leizerov, CIPP, of Ernst & Young, offer advice on how to address the most pressing issues when it comes to such systems, including advising IT staff that more is not better when it comes to data collection, taking stock of "which systems your sensitive information is passing though...evaluating and improving upon the password policy settings in custom apps" and looking at any "unrestricted mass data storages and share folders."
Full Story

PRIVACY LAW

Court: U.S. ECPA Covers Noncitizens (October 4, 2011)
A federal court has ruled that individuals who are not citizens of the U.S. are covered under the protections provided by the Electronic Communications Privacy Act (ECPA), Courthouse News reports. An Indian-based company wants Microsoft to disclose the e-mails of an individual accused of fraud in Australia, but the 9th Circuit Court has ruled that the defendant's e-mail account is protected under ECPA. One judge wrote that "this case ultimately turns on the plain language of the relevant statute" and the "plain language" is the term "any person." Meanwhile, the U.S. Supreme Court will not review a California Supreme Court case that upheld law enforcement's right to search suspects' cell phones without a warrant. Editor's note: The IAPP will host the Web conference How to Craft Plain Language Privacy Notices on Thursday at 1 p.m. ET.