Canada Dashboard Digest

Many will have already heard the relatively big news this week: A new bill, S-4, was introduced in the Senate that will amend PIPEDA if it passes. I'm surprised it didn't actually get more news considering the fanfare when the government tabled it.

There is some skepticism about whether or not the government is serious this time around because it has introduced somewhat similar bills in the past only to let them die a slow and painful death. This new bill was introduced in the Senate, and some are speculating that this may have been done to try and get the bill passed quickly.

For sure, these amendments are a long time coming. Many of them are what I call “common-sense fixes." For example, getting the English and French versions of the law to jive with one another a bit better. Other more meaningful fixes are those that mirror the Alberta and British Columbia provisions dealing with employee personal information and business transactions.

The folks at the OPC are probably happy with the proposed amendments that will allow them to enter into compliance agreements with organizations. Essentially, these agreements will allow the OPC to monitor organizations for up to a year after the completion of an investigation to ensure that all recommendations are satisfactorily implemented.

Lastly, I think the codification of a breach notification scheme is a good thing, too. I don’t think this new scheme will have a significant impact because previous guidance from the federal commissioner has been clear that they expect notification to take place even without the codification in the law. So, I think most organizations have already been operating with this scheme in mind. But, getting clarity in any law is always a good thing, so I suppose it is in this case, too.

As far as the “new penalties” go, I again don’t think there’s too much to worry about. Before any penalty could be levied, a matter would have to be referred for criminal prosecution—something that probably won’t happen except in the most egregious cases. This is a far cry from the administrative monetary penalties that can be levied in some European jurisdictions directly by the data protection authority.

So, all in all, pretty good news for privacy in Canada—for some—this week. And when we also read that CRA employees were fired for privacy violations, perhaps privacy is something this government is realizing is a priority issue that people care about.

Kris Klein
Managing Director
IAPP Canada

Top Canadian Privacy News

PRIVACY LAW

Nunavut To Enact Privacy Legislation (December 23, 2011)

Barbara McIsaac of Borden Ladner Gervais LLP reports on the coming Nunavut legislation that will amend the Access to Information and Protection of Privacy Act. The legislation will cover "rules governing how government can collect, use and disclose personal information" and "includes a limitation that personal information is used only for the purposes for which it is collected..." Nunavut Premiere Eva Aariak has announced that the amendments will be tabled by the end of next year. "The proposed amendments," Aariak said, "will allow individuals the ability to complain to the information and privacy commissioner if they feel that the government of Nunavut has inappropriately collected, used or disclosed their personal information. It will also make it mandatory for departments to report privacy breaches within their departments to the information and privacy commissioner." (Registration may be required to access this story.)
Full Story

BEHAVIOURAL TARGETING

OPC Discusses Tracking Concerns (December 23, 2011)

Privacy Commissioner Jennifer Stoddart asks in the Office of the Privacy Commissioner (OPC) blog how shoppers would feel if those behind the security cameras used to monitor for theft were keeping tabs on all activities from brands purchased to food court selections. "This may sound far-fetched, but something similar is happening regularly to eight in 10 Canadians aged 16 and older" who browse online. When it comes to behavioural advertising, she writes, "individuals must be made aware of what's happening when they browse and provide meaningful consent." The OPC will be "watching the watchers," she writes, "And if we see troubling trends, we'll take enforcement action."
Full Story

DATA LOSS

OIPC Prepared To Investigate Breach (December 23, 2011)

Newfoundland and Labrador Information and Privacy Commissioner Ed Ring has announced that residents contacted by Service Newfoundland and Labrador regarding a recent breach may file a complaint with his office, The Telegraph reports. He has also clarified that his office "had no knowledge of the breach until the day of the news release" and that it is prepared to investigate any complaints, the report states. "I do understand that Service NL is conducting its own internal investigation of this matter, and whether or not we receive any complaints from individuals, we look forward to hearing from the department when they have concluded their own analysis," he said.
Full Story

SURVEILLANCE

Opinion: Vigilance Needed on Surveillance (December 23, 2011)

In the Ottawa Citizen, Roland Paris says that even liberal democracies with strong privacy laws should be wary of the potential for government surveillance. Paris, who is founding director of the Centre for International Policy Studies and an associate professor at the University of Ottawa, cites a recent Brookings Institution report that warns that "Within the next few years, it will be technically possible and financially feasible for authoritarian governments to record nearly everything that is said or done within their borders." The report "speaks to the importance of a different kind of heightened vigilance..." Paris writes, "of our right to remain largely hidden from the constant gaze of the state."
Full Story

PRIVACY LAW

Privacy Breach Class-Actions on the Rise (December 23, 2011)

Alex Cameron and Sebastien Kwidzinski of the law firm Fasken Martineau analyze the rise of class-action litigation connected with incidents of alleged privacy breaches in Canada. The bulletin focuses mainly on Rowlands v. Durham Region Health, a case involving a lost USB thumb drive containing sensitive health information of approximately 83,500 patients. The class-action lawsuit, citing negligence and breach of statutory duty of data protection, seeks $40 million in damages. "While the merits of the lawsuit have yet to be determined," they write, "the case has potentially wide ranging implications for healthcare providers--and many other organizations that hold personal information subject to privacy laws."
Full Story

PRIVACY LAW

Opinion: Privacy Rights and “Reasonable” Steps (December 23, 2011)

In the Financial Post, Drew Hasselback opines that privacy rights should not always trump "other values" that small businesses use in running operations. "Because privacy is statute-driven, every business needs to determine which of the many privacy laws it needs to respect and what it needs to do to comply," he writes. Hasselback notes that the Leon's Furniture Limited v. Alberta case proves "that a customer's personal privacy needs to be balanced against the right of a business to take reasonable steps to protect itself from fraud." The Alberta legislation, he argues, does not specifically say that a business needs to take "better" steps to ensure privacy; "it only requires reasonable" steps.
Full Story

SOCIAL NETWORKING

Opinion: Privacy Is Not Dead, But It’s Hurting (December 23, 2011)

In a Reuters blog post, Don Tapscott writes about 20 ideas for 2012 and highlights the erosion of privacy through the use of social networks. "In the past," Tapscott writes, "the threat was Big Brother (governments) assembling detailed dossiers about us. Then came Little Brother (corporations) creating detailed customer profiles. Today, the problem is the individuals themselves." Social networking sites "encourage individuals themselves to directly and voluntarily publish granular data short-circuiting the obligations of organizations to seek informed consent," which prompts Tapscott to ask, "What new can be done to prevent the destruction of privacy as we know it?"
Full Story

PRIVACY LAW

Opinion: Commissioner’s “Top-Down” Approach Curbs Citizen Participation (December 23, 2011)

Writing for rabble.ca, Anton Oleinik expresses concern about the privacy commissioner's "top-down" approach to protecting citizens' privacy. Oleinik questions whether citizens should rely on the commissioner's "insight and expertise in the matters of protecting their privacy rights, or should they take their own initiative and guide the commissioner's efforts in this highly sensitive area by helping her spot problems that call for solutions?" Olienik points out that between 2003 and 2005, Canadian privacy complaints "reversed radically" in volume. "Can this drop in the number of citizen contacts with the ombudsperson," he writes, "be attributed to the increased efficiency of government bodies in meeting and anticipating the privacy concerns of the constituency or to Canadians' growing reliance on the ombudsperson's website as a source of information about privacy?"
Full Story

DATA PROTECTION

APEC Announces New Members to CPEA (December 23, 2011)

In a press release, APEC has announced the addition of several new authorities to its Cross-border Privacy Enforcement Arrangement (CPEA). APEC launched the CPEA last year in an effort to boost regional cooperation on privacy enforcement. Fifteen Japanese agencies--including the Consumer Affairs Agency, the Cabinet Office, the National Police Agency and the Ministry of Foreign Affairs--have joined the CPEA's founding members. "The participation of privacy law enforcement authorities from Japan further strengthens APEC's cooperation arrangements to the benefit of consumers across the region," said Danièle Chatelois, chair of APEC's Data Privacy Subgroup.
Full Story

BIOMETRICS

Is a Facial Recognition Opt-Out Possible? (December 22, 2011)

Slate reports on recent advances in facial recognition and detection technology and the inherent difficulties involved when offering an opt-out for individuals in the physical world. Though facial recognition technology is not entirely sophisticated at this point, "critical questions" about personal privacy remain. The column asks, "At what point do people know they are being watched? Where can they find the privacy policy to learn what happens when they're on camera? How can they opt out if they're not comfortable with the technology?" Noting that these questions were discussed at a recent Federal Trade Commission roundtable by industry representatives, regulators and privacy advocates, the report suggests the answers and "suggestions were problematic and superficial."
Full Story

PERSONAL PRIVACY—CANADA

Commissioner Releases Report on Smart Meters (December 20, 2011)

BC's Information and Privacy Commissioner has released an assessment of BC Hydro's smart meter program and determined that the corporation is not fully compliant with the Freedom of Information and Protection and Privacy Act, CBC News reports. "I think they thought their communication was sufficient and we found it was deficient," BC Commissioner Elizabeth Denham said. The commissioner launched an investigation last summer after receiving some 600 complaints about the corporation's plans to install 1.8 million smart meters. Denham made 14 recommendations for improvement, but says BC Hydro is taking adequate measures to protect customers and that it is compliant with the law when it comes to data collection, use, disclosure, protection and retention.
Full Story

ONLINE PRIVACY

QR Codes Pose Potential Risks (December 20, 2011)

MSNBC reports on the increasing use of QR or "quick response" codes--puzzle-like square matrixes that populate ads and promotional posters to provide smartphone users with product details. Fifteen percent of consumers are using the codes, up from five percent last year. But experts say there are privacy risks involved, including the ability of the app maker to put in tracking systems and the potential for malware to be installed. "Unfortunately, this is a case of buyer beware," says malware researcher Tim Armstrong. "Being that this is a new territory, be suspicious of everything...users should always know what is being installed and when."
Full Story

DATA LOSS

Advocate Publishes 2011 Breach Report (December 19, 2011)

The Privacy Rights Clearinghouse (PRC) has released its 2011 breach tracking report, highlighting what it considers the six most significant breaches of the year. So far this year, the organization has tracked 535 breaches involving 30.4 million records, and according to PRC Director Beth Givens, this represents just a sampling of the total breaches. The PRC list of most significant breaches includes, Sony PlayStation, Epsilon, Sutter Physicians Services and Sutter Medical, Texas Comptroller's Office, Health Net and Tricare Management Activity. "These breaches highlight some important lessons, among them: the need for strict privacy and security policies; the importance of data retention policies, and the need for data to be encrypted," the report states.
Full Story

EMPLOYEE PRIVACY

OIPC Issues Social Media Guidelines (December 16, 2011)

Alberta's Office of the Information and Privacy Commissioner (OIPC) released guidelines on Thursday "warning organizations to think twice before logging on to Facebook or Twitter to vet potential employees or volunteers," the Calgary Herald reports. One expert described the guidelines, which come amidst investigations into complaints of such access, as a "wake-up call" for potential employers. An OIPC spokeswoman explained, "We're not saying you can't do it. We're saying that you need to take a really careful look at your obligations under the privacy laws and see if you can meet those requirements in social media...It's going to be very difficult to do that."
Full Story

ONLINE PRIVACY

Opinion: Data Linking Could Mean “Surveillance by Design” (December 16, 2011)

In an op-ed for the Financial Post, Ontario Information and Privacy Commissioner Ann Cavoukian weighs in on the ongoing debate about lawful access legislation, raising concern over "the lack of understanding of a key privacy issue--the ease of data linkages in an ever-increasing online world." Cavoukian suggests, "We have reached a point where information, not only as strongly identifiable as Social Insurance numbers, but also IP addresses, licence plate numbers and mobile device identifiers, serve as pointers to personally identifiable information, through an ever-expanding web of data linkages." She cautions that lawful access legislation could lead to a system of "Surveillance by Design."
Full Story

CHILDREN’S PRIVACY

Group Alleges Canadian Company Violated U.S. Law (December 16, 2011)

A child advocacy group has filed a complaint with the U.S. Federal Trade Commission alleging a Canadian company violated provisions of the Children's Online Privacy Protection Act with its interactive children's website, the Los Angeles Times reports. Among its allegations, the Campaign for a Commercial-Free Childhood contends that Ganz fails to provide a link to its privacy policy on the homepage of its Webkinz site, stating the policy itself is "vague, confusing and contradictory" and alleging third parties are allowed to track users on the site for targeted advertising. Ganz is in the process of reviewing the complaint, the report states.
Full Story

PRIVACY LAW

Experts: Avoid Settlements by Building in Privacy (December 16, 2011)

A feature in The Globe and Mail suggests the U.S. Federal Trade Commission (FTC) settlement with Facebook will require the company to "get it right" when it comes to privacy, suggesting that such settlements could be avoided if companies come to understand the importance of Privacy by Design. "It's all about being proactive and embedding the necessary protections into the design of your systems," notes Ontario Information and Privacy Commissioner Ann Cavoukian. "By doing so, you can prevent the privacy harm from arising, thereby avoiding the costs associated with data breaches." Meanwhile, the Los Angeles Times reports on a call from the Electronic Privacy Information Center for the FTC to strengthen the settlement.
Full Story

ONLINE PRIVACY

Opinion: Canadians Must Protect Their Own Privacy (December 16, 2011)

Privacy Commissioner Jennifer Stoddart has released guidelines for online behavioural advertising in an effort to protect Canadians' privacy. But an editorial in the Toronto Star questions whether that is even possible anymore. Even the regulator's request that companies be transparent about their tracking practices can't truly protect Canadian's from data miners--only individuals can protect themselves, the article states. Brian Jackson writes for IT Business that despite its best efforts to protect Canadians, the Office of the Privacy Commissioner doesn't have enough power, and until it does, Canadians themselves should demand more action when their privacy is violated.
Full Story

INFORMATION ACCESS

Legal Battle Launched Over Gun Registry (December 16, 2011)

The Montreal Gazette reports on Quebec Public Security Minister Robert Dutil's announcement that the province will launch legal action to prevent the federal government from destroying data from the federal long-gun registry once Bill C-19 becomes law. Dutil is calling Bill C-19 "a step backwards," the report states, and has quantified the planned destruction of the data as "unjust and unequitable," noting the province plans to adopt a bill to create its own gun registry if it wins the legal challenge.
Full Story

PRIVACY LAW

Opinion: Proposed Privacy Act Needs Scrutiny (December 16, 2011)

In a recent editorial, GuelphMercury.com suggests that MP Frank Valeriote's proposed Protecting Canadian Privacy Act will "generate discussion among lawmakers and many citizens" but "stands little chance of becoming law." In evaluating the bill, the editorial suggests that while it seeks to prevent the photography or filming of residents without their consent, "it poses the risk of criminalizing all sorts of actions that Canadian society would likely widely support as legal, reasonable and important." Meanwhile, a counterpoint applauds the bill as needed to stop invasions of privacy.
Full Story

INFORMATION ACCESS

Police To Continue Simultaneous Release of Info (December 16, 2011)

The Vancouver Police Board and Mayor Gregor Robertson have voted unanimously to continue the police department's (VPD) practice of disclosing classified documents simultaneously to journalists and the public, bucking a June city council's unanimous vote against the practice, reports the Vancouver Courier. One privacy advocate says the decision is a contradiction to the openness of other government agencies and an effort by the VPD to dissuade journalists from making Freedom of Information requests, noting that Information and Privacy Commissioner Elizabeth Denham spoke against the practice last May. The police board says its decision puts public interest above commercial interest and will mean "the public has access to good information in a timely manner."
Full Story

HEALTHCARE PRIVACY

Opinion: Opposing Views on Health Records Breach (December 16, 2011)

Two opinion pieces in the Edmonton Journal offer opposing views on recent electronic health network access incidents. Paula Simons writes, "We trust our healthcare providers with the most intimate personal secrets, and we expect that our privacy will be respected," suggesting those are the very reasons "malicious misuse of Alberta's Web-based health information network" have been "so disturbing." In an editorial, meanwhile, the newspaper suggests reactions to the "privacy scare" have been "overblown."
Full Story

ONLINE PRIVACY

On the Web: Weighing Convenience Against Data Protection (December 15, 2011)

BBC News reports on Web giants in the social networking and search spheres and the convenience they provide to users, suggesting privacy "is becoming the thorn in the side of this marriage of convenience." The feature examines recent calls by regulators from the EU and Canada, as well as the U.S. Federal Trade Commission, for better privacy protections from online firms. Looking at regulators' responses to such issues as cookies and shadow profiles, the report suggests, "2012 could see a change in the balance of power between Net firms and citizens, with citizens, for once, holding the upper hand."
Full Story

DATA LOSS—CANADA

Breach Linked to Criminal Activity (December 15, 2011)

An RCMP investigation has revealed that an Insurance Corporation of British Columbia (ICBC) employee inappropriately accessed the information of 65 people--13 of whom have had their property damaged by shootings or arson, reports The Vancouver Sun. The employee has been fired and is under continuing investigation, and the police are pursuing "significant investigative avenues to determine if others could be at risk," said a police spokeswoman. All 13 victims identified are affiliated with the Justice Institute of British Columbia, and police are still looking for a motive. ICBC CEO Jon Schubert expressed his concern for the victims, adding that the company is taking preventative measures.
Full Story

GEO PRIVACY

Experts Detail Concerns About Emerging Technologies (December 13, 2011)

"The sheer scale of technological change and the ingenuity with which people are using location-based service data feeds means we are always playing catch-up." That was the message from Jonathan Bamford of the UK Information Commissioner's Office at a recent privacy event, V3.co.uk reports. Considering the future of privacy, one U.S. expert suggested it may soon be impossible to opt out of sharing location data, noting, "As we match the physical world to the virtual world, by placing items such as fridges or even your car keys on the Internet, firms could have even more access to your data, your location and your life."
Full Story

STUDENT PRIVACY

BC Principal Told Not To Use Breathalyzer on Students (December 9, 2011)

Amidst privacy concerns, a secondary school principal has been asked not to use breathalyzers on students during school, The Globe and Mail reports. A spokesman for the BC Civil Liberties Association voiced privacy concerns, noting, "If these devices are in schools, they obviously need a policy." Nechako Lakes Superintendent Charlene Seguin confirmed the devices were provided to administrators in the district, explaining, "They are typically used at extracurricular activities such as dances. In this case, it was used during the day." She added she has explained to the principal that she does not want the device used during the academic day.
Full Story

PRIVACY

OPC Announces Annual Privacy Research Program (December 9, 2011)

The Office of the Privacy Commissioner (OPC) is accepting applications for its Contributions Program 2012-13, an annual privacy research and knowledge translation funding program, through January 25. In an announcement issued Thursday, the OPC noted that it is seeking "research proposals for projects aimed at promoting privacy and the protection of personal information in the private sector" with special focus on the areas of identity integrity and privacy; information technology and privacy; genetic information and privacy, and public safety and privacy. The OPC is also encouraging applicants to integrate "knowledge translation...a process by which theoretical research results get transformed into useable outcomes that end-users can apply in practice" into their proposals.
Full Story

ONLINE PRIVACY

Social Media Brings E-Discovery Challenges (December 9, 2011)

The Montreal Gazette reports on how corporations are dealing with the "mammoth task of preserving potentially discoverable data that hundreds or even thousands of employees leave on social networks and send via text messages." One e-discovery experts says, "This is, to some extent, a wake-up call. A company that hasn't yet prepared itself for litigation will have a nasty shock, a very nasty shock, if it has these multiple repositories of information." In a whitepaper on the topic, the head of Litis Consulting says corporations must have "robust, written policies on social media, chat and cloud computing," the report states.
Full Story

HEALTHCARE PRIVACY

Pharmacist Fined for Posting PII on Facebook (December 9, 2011)

An Edmonton pharmacist has been fined $15,000 for posting medical information on several people on Facebook, the Edmonton Journal reports. The pharmacist obtained the medical information from Alberta's electronic health system and posted it to the social network after a dispute with several people from her church. One of those affected noticed the information had been improperly obtained and complained to Alberta Privacy Commissioner Frank Work, who will release a full report soon. "Snooping through health information for personal purposes will not be tolerated and there will be prosecution," Work said.
Full Story

ONLINE PRIVACY

CIO Canada Debate on Cloud Computing (December 9, 2011)

Part four of the five-part ITWorldCanada series "CIO Canada Debate," explores chief information officers' attitudes on cloud computing. "They understand that cloud computing could bring cost savings and efficiencies, but some...still aren't ready to open up the processes and data to third parties," the report states. CIOs weigh in, including one who says the lack of standards is what prevents him from moving toward the cloud, and another who feels the privacy and security issues surrounding cloud adoption are overblown. "I think you should approach this as you would any data security or privacy issue," says Innovapost's David Rea. "You've got encryption, you've got (to look at) who has access to the data."
Full Story

DATA LOSS

Campus Crime Documents Misplaced by Third Party (December 9, 2011)

Winnipeg Free Press reports that 1,000 pages of campus crime reports containing students' personal details were found in a recycling bin. The reports included student names, addresses, photos and phone numbers, among other details. Red River College said it has referred the incident to the provincial ombudsman, and its president has called the incident a "very serious breach in privacy." Though the college has a policy on record disposal, an error allowed the reports to be misplaced by a private contractor cleaning service, the president said, adding that it's since reviewed its policies with the company.
Full Story

ONLINE PRIVACY

Opinion: Baking Privacy In Will Pay Dividends (December 9, 2011)

In IT Business Canada, Ontario Privacy and Information Commissioner Ann Cavoukian outlines her concerns about a new technology that functions much like an RFID tag. Cavoukian's office recently published a paper on its study of the emerging technology's potential risks. Near Field Technology (NFT) is at the point in development where privacy should be embedded, Cavoukian writes, specifically when it comes to default privacy options. Though privacy risks are mitigated by the close range the NFC requires to interact--making third-party skimming difficult--there are challenges that remain, she says, adding that baking privacy into the product will pay dividends in consumer trust.
Full Story

PRIVACY LAW

Opinion: Lawful Access Bill Debate Continues (December 9, 2011)

The debate continues over the government's lawful access legislation. In a column for The Globe and Mail, John Ibbitson questions, "Does the need to deter pedophiles, terrorists and other bad people from exploiting the Web to commit crimes and evade detection outweigh our right to surf and post without fear of being watched?" Minister of Public Safety Vic Toews responded in a letter to the editor that "The government will propose legislation that strikes an appropriate balance between the privacy rights of Canadians and the ability of police to enforce our laws." Meanwhile, Ontario Information and Privacy Commissioner Ann Cavoukian said there's little that could be considered "lawful" about the bill's provisions.
Full Story

ONLINE PRIVACY—EU & U.S.

Regulators, Advocates Want Answers on CarrierIQ (December 9, 2011)

After computer programmers discovered that CarrierIQ software--used by many smartphone service providers--logs users' keystrokes and other personal information, European regulators have begun taking preliminary steps toward a possible investigation into violations of EU data protection laws. Deutsche Welle reports that authorities in Germany and Ireland have questioned mobile phone carriers and makers, and regulators in the U.K., France and Italy are reviewing whether the software is used in their jurisdictions. In the U.S., the company is facing four lawsuits and possible inquiries by three federal agencies. The report states that CarrierIQ's unwillingness to disclose which phones and carriers use its service is particularly concerning to privacy regulators.
Full Story 

DATA LOSS

Data of 3.5 Million Online Poker Players Exposed (December 8, 2011)

A defunct gambling site experienced a breach affecting 3.5 million members this past weekend, SecurityNewsDaily reports. The names, screen names, birth dates, phone numbers and IP, home and e-mail addresses of Ultimate Bet users in Canada, the U.S., the UK and elsewhere were posted to online poker forums, the report states. The data was removed after eight minutes.
Full Story

PRIVACY LAW—U.S. & CANADA

Border Security Pact Unveiled (December 8, 2011)

The long-anticipated "Beyond the Border" perimeter security pact between the U.S. and Canada has been unveiled, The Vancouver Sun reports. The plan is aimed at improving security and harmonizing regulations for both nations, but privacy advocates have voiced concerns over the amount of data that will be shared. The new plan will enhance the tracking of travelers in the U.S. and Canada to identify threats and will allow more information--including biometrics--to be obtained from individuals seeking to enter either country. Canadian Privacy Commissioner Jennifer Stoddart says her office will conduct a complete review of the deal. She noted both countries have agreed to develop joint privacy principles by next May.
Full Story

ONLINE PRIVACY

Survey: Social Networkers Care About Privacy (December 8, 2011)

A recent survey conducted by the Asia Pacific Privacy Authorities has revealed that people care about their privacy when it comes to social networking sites, according to a press release from New Zealand Privacy Commissioner Marie Shroff's office. More than 10,000 individuals in Mexico, Australia, New Zealand, Hong Kong and Korea completed the survey, which found that 55 percent of respondents "said they would stop using a site that used their information in a way they hadn't expected." Fifty percent said they were uncomfortable with being tracked online for marketing purposes; however, 65 percent said they do not read privacy policies or terms and conditions.
Full Story

BEHAVIORAL TARGETING—CANADA

Stoddart Releases Online Advertising Guidance (December 6, 2011)

Privacy Commissioner Jennifer Stoddart has released a new guidance document on the use of online behavioral advertising aimed at helping advertisers, websites and browser developers ensure that they are compliant with Canada's private-sector privacy law. "The use of online behavioral advertising has exploded and we're concerned that Canadians' privacy rights aren't always being respected," Stoddart said, adding that Canadians should easily be able to opt out of being tracked online. The guidelines also address tracking children online and whether children are capable of providing "meaningful consent."
Full Story

PRIVACY LAW

Court Refusal Concerns Commissioner, Has National Implications (December 2, 2011)

Alberta Information and Privacy Commissioner Frank Work says that the province's Personal Information Protection Act (PIPA) needs to be updated in light of the Supreme Court of Canada's refusal to review an appeals court decision overturning his office's earlier findings, the Financial Post reports. The case involves the practice of requiring customers at Leon's Furniture to provide their driver's licenses when picking up furniture, which the office found in breach of PIPA. Work said, "The decision could be used to challenge what were thought to be reasonable, nationally accepted limits on the collection of personal information by private-sector organizations. We are moving backwards." The litigator representing Leon's said, "The overall message...is that privacy is important but it need not be the only overriding value out there."
Full Story

PRIVACY LAW

Border Plan Raises Privacy Concerns (December 2, 2011)

CTV.ca reports on the new 32-point information sharing border plan that will be signed into law next week by Prime Minister Stephen Harper and U.S. President Barack Obama and the concerns expressed by Privacy Commissioner Jennifer Stoddart. Though the system will help keep track of illegal immigrants, war criminals and terrorists, there will be vast amounts of information shared between the two nations. Stoddart says that her office has not been consulted on the plan, the report states, and there should be narrow limits placed on what types of data are shared with U.S immigration officials, the report states. Assistant Privacy Commissioner Chantal Bernier said, "In any agreement, Canadian privacy protections and practices need to be protected." CTV's Ottawa bureau chief said that border officials will be able to pass additional "info on to the U.S. and vice-versa, and this is the grey area where the privacy commissioner wants to make sure there are strict controls over how this information is shared."
Full Story

BEHAVIOURAL TARGETING

OPC To Release OBA Guidance (December 2, 2011)

Privacy Commissioner Jennifer Stoddart is planning to release a document with guidance for online behavioral advertising (OBA) at a conference next week, Marketing Magazine reports. The Office of the Privacy Commissioner (OPC) has been consulting with industry groups to discuss issues such as online privacy, data tracking and behavioural modeling, according to the report. The document is set to provide "some specific guidance related to online behavioural advertising." Meanwhile, the Women's Executive Network has named Stoddart to its list of the top 100 most powerful women in the nation. The annual honour goes out to Canada's "highest-achieving female leaders" in the fields of business, charity, medical and public sectors, according to the Edmonton Sun.
Full Story

PRIVACY LAW

Committee Selects New Commissioner (December 2, 2011)

The Edmonton Journal reports that a government search committee has recommended former assistant commissioner Jill Clayton as the next Information and Privacy Commissioner of Alberta. Clayton has been part of a team that ensures entities are in compliance with Alberta's Personal Information Protection Act (PIPA). She also worked as the director of PIPA between 2008 and 2011. Clayton will be replacing Frank Work, who has served as the commissioner since the office was enacted in 1995. The committee is slated to present the recommendation to the legislature next week. If approved, Clayton's term would begin February 1.
Full Story

HEALTHCARE PRIVACY

Doctor Investigated for Improper EHR Access (December 2, 2011)

After an investigation by Alberta Information and Privacy Commissioner Frank Work, a Covenant Health physician was found to have improperly accessed the electronic health records of a patient and has been referred to the provincial College of Physicians and Surgeons, CBC News reports. The investigation also revealed that the healthcare organization did not appropriately train physicians on securing their accounts and that it was common for staff to access electronic records by using whatever account was open at a given time, the report states. Covenant Health's chief privacy officer said the incident came as a surprise, adding, "It was pretty disappointing for us to learn that a physician working at one of our sites didn't follow our policies to protect patient privacy." The clinic has taken action to help mitigate improper access in the future.
Full Story

INFORMATION ACCESS

Outgoing Commissioner Submits Warning, Proposals (December 2, 2011)

Alberta's outgoing information and privacy commissioner, Frank Work, has released a report warning that the provincial government has implemented loopholes that put Alberta's freedom of information laws at risk, the Edmonton Journal reports. Work said that the existence of loopholes, numbering in the dozens, "calls into question the legislature's commitment" to the freedom of information law. Meanwhile, Work has issued six recommendations to ensure that the government practice of using secondary e-mails complies with the province's freedom of information legislation. In addition to creating secondary e-mail policies for government agencies, Work says individuals in a ministry--including staff--should undergo mandatory training on freedom of information legislation and records management, the report states.
Full Story

PRIVACY LAW

Cavoukian: Courts Are Out of Touch (December 2, 2011)

Ontario Information and Privacy Commissioner Ann Cavoukian said that recent court decisions will have a negative effect on citizens' privacy rights, The Ottawa Citizen reports. Speaking at a conference in Ottawa, Cavoukian also said that the government's two lawful access bills will be an "expansion of surveillance without judicial authorization. This should scare you." Cavoukian added that courts across the nation are not in touch with the current digital landscape, the report states. She said, "I have no faith in the judiciary anymore...I don't want to leave it to the courts to decide these things," adding that the Supreme Court of Canada's ruling not to hear a privacy case in Alberta raises concerns. Cavoukian and other privacy commissioners have filed for intervernor status in the Alberta case. "For the first time, I am very concerned about the creep of surveillance expanding."
Full Story

Commissioner Releases NFC Whitepaper (December 2, 2011)

With the rise in use of near field communication (NFC), Ontario Information and Privacy Commissioner Ann Cavoukian has released a whitepaper discussing the privacy implications involved with the new applications, itbusiness.ca reports. Written in conjunction with phone maker Nokia, "Mobile Near Field Communication Tap 'n Go--Keep It Secure and Private" promotes building privacy safeguards into the development of the technology. Cavoukian said, "User privacy does not have to be sacrificed for the sake of NFC...Now is the time to embed additional security and privacy into the design of applications that use NFC capabilities."
Full Story

PERSONAL PRIVACY

Mobile Software Company Faces Scrutiny (December 2, 2011)
Smartphone software maker CarrierIQ has said in a statement that it does monitor all keystrokes on mobile devices but only for "legitimate purposes," thinq.co.uk reports. The company said its "software does not record, store or transmit the contents of SMS messages, e-mail, photographs, audio or video." In an open letter to the company, U.S. Sen. Al Franken (D-MN) queried why the application "captures a broad swath of extremely sensitive information from users that would appear to have nothing to do with diagnostics," adding, "These actions may violate federal privacy laws...This is potentially a very serious matter." The company has asserted that it has not breached any "wiretap laws." France's data protection authority has said in an e-mail that it is also investigating the matter. Meanwhile, companies including Google, Apple and Microsoft are distancing themselves from the software, and phone carriers that use CarrierIQ say they do not collect users' personal information.

PRIVACY

Expert: Attorneys Increasingly Important in Breach Responses (December 1, 2011)

Data breaches are all about reputational risk, says Hunton & Williams Managing Partner Lisa Sotto in this BankInfoSecurity podcast. Attorneys play increasingly integral roles in data breach responses, Sotto says, including deciding what steps must be taken beyond a jurisdiction's data breach notification mandates. "The law only requires that an entity notify those who had sensitive information compromised, like Social Security numbers. But now we know other things, like e-mail addresses, can lead to compromise through social engineering and phishing," Sotto says. 
Full Story