Canada Dashboard Digest

Are you sick of hearing about Heartbleed? If you are, you may want to skip some of the stories profiled in this week’s Dashboard Digest. If, however, you are like me, you might still be confused by the array of stories about the technical vulnerability, how it works and what damage it might have caused. I had to do a fair amount of self-study this week to prepare for an on-air interview with the CBC, and I must admit that the more I read about it, the more questions I had.

One thing is for sure: We work in an increasingly dynamic industry where things change faster than ever. What was once considered secure is actually not. Safeguards that you thought were good enough, aren't. I suppose that’s all the more reason the privacy professional needs tools like the Dashboard Digest—to try and stay on top of what’s going on.

With respect to the Heartbleed saga, we felt that you deserved even more opportunity to learn about it, so we have added a session to this year’s Symposium that promises to educate privacy professionals on exactly what they need to know about the vulnerability. I hope you can make it to Toronto if you're keen to learn more.

Somewhat overshadowed by Heartbleed were two rather significant decisions from Commissioners Denham and Cavoukian. Read on to learn more because these, too, are important events. 

Have a great weekend, and happy (Easter egg) hunting!

Kris Klein
Managing Director
IAPP Canada

Top Canadian Privacy News

PRIVACY LAW

Nunavut To Enact Privacy Legislation (December 23, 2011)

Barbara McIsaac of Borden Ladner Gervais LLP reports on the coming Nunavut legislation that will amend the Access to Information and Protection of Privacy Act. The legislation will cover "rules governing how government can collect, use and disclose personal information" and "includes a limitation that personal information is used only for the purposes for which it is collected..." Nunavut Premiere Eva Aariak has announced that the amendments will be tabled by the end of next year. "The proposed amendments," Aariak said, "will allow individuals the ability to complain to the information and privacy commissioner if they feel that the government of Nunavut has inappropriately collected, used or disclosed their personal information. It will also make it mandatory for departments to report privacy breaches within their departments to the information and privacy commissioner." (Registration may be required to access this story.)
Full Story

BEHAVIOURAL TARGETING

OPC Discusses Tracking Concerns (December 23, 2011)

Privacy Commissioner Jennifer Stoddart asks in the Office of the Privacy Commissioner (OPC) blog how shoppers would feel if those behind the security cameras used to monitor for theft were keeping tabs on all activities from brands purchased to food court selections. "This may sound far-fetched, but something similar is happening regularly to eight in 10 Canadians aged 16 and older" who browse online. When it comes to behavioural advertising, she writes, "individuals must be made aware of what's happening when they browse and provide meaningful consent." The OPC will be "watching the watchers," she writes, "And if we see troubling trends, we'll take enforcement action."
Full Story

DATA LOSS

OIPC Prepared To Investigate Breach (December 23, 2011)

Newfoundland and Labrador Information and Privacy Commissioner Ed Ring has announced that residents contacted by Service Newfoundland and Labrador regarding a recent breach may file a complaint with his office, The Telegraph reports. He has also clarified that his office "had no knowledge of the breach until the day of the news release" and that it is prepared to investigate any complaints, the report states. "I do understand that Service NL is conducting its own internal investigation of this matter, and whether or not we receive any complaints from individuals, we look forward to hearing from the department when they have concluded their own analysis," he said.
Full Story

SURVEILLANCE

Opinion: Vigilance Needed on Surveillance (December 23, 2011)

In the Ottawa Citizen, Roland Paris says that even liberal democracies with strong privacy laws should be wary of the potential for government surveillance. Paris, who is founding director of the Centre for International Policy Studies and an associate professor at the University of Ottawa, cites a recent Brookings Institution report that warns that "Within the next few years, it will be technically possible and financially feasible for authoritarian governments to record nearly everything that is said or done within their borders." The report "speaks to the importance of a different kind of heightened vigilance..." Paris writes, "of our right to remain largely hidden from the constant gaze of the state."
Full Story

PRIVACY LAW

Privacy Breach Class-Actions on the Rise (December 23, 2011)

Alex Cameron and Sebastien Kwidzinski of the law firm Fasken Martineau analyze the rise of class-action litigation connected with incidents of alleged privacy breaches in Canada. The bulletin focuses mainly on Rowlands v. Durham Region Health, a case involving a lost USB thumb drive containing sensitive health information of approximately 83,500 patients. The class-action lawsuit, citing negligence and breach of statutory duty of data protection, seeks $40 million in damages. "While the merits of the lawsuit have yet to be determined," they write, "the case has potentially wide ranging implications for healthcare providers--and many other organizations that hold personal information subject to privacy laws."
Full Story

PRIVACY LAW

Opinion: Privacy Rights and “Reasonable” Steps (December 23, 2011)

In the Financial Post, Drew Hasselback opines that privacy rights should not always trump "other values" that small businesses use in running operations. "Because privacy is statute-driven, every business needs to determine which of the many privacy laws it needs to respect and what it needs to do to comply," he writes. Hasselback notes that the Leon's Furniture Limited v. Alberta case proves "that a customer's personal privacy needs to be balanced against the right of a business to take reasonable steps to protect itself from fraud." The Alberta legislation, he argues, does not specifically say that a business needs to take "better" steps to ensure privacy; "it only requires reasonable" steps.
Full Story

SOCIAL NETWORKING

Opinion: Privacy Is Not Dead, But It’s Hurting (December 23, 2011)

In a Reuters blog post, Don Tapscott writes about 20 ideas for 2012 and highlights the erosion of privacy through the use of social networks. "In the past," Tapscott writes, "the threat was Big Brother (governments) assembling detailed dossiers about us. Then came Little Brother (corporations) creating detailed customer profiles. Today, the problem is the individuals themselves." Social networking sites "encourage individuals themselves to directly and voluntarily publish granular data short-circuiting the obligations of organizations to seek informed consent," which prompts Tapscott to ask, "What new can be done to prevent the destruction of privacy as we know it?"
Full Story

PRIVACY LAW

Opinion: Commissioner’s “Top-Down” Approach Curbs Citizen Participation (December 23, 2011)

Writing for rabble.ca, Anton Oleinik expresses concern about the privacy commissioner's "top-down" approach to protecting citizens' privacy. Oleinik questions whether citizens should rely on the commissioner's "insight and expertise in the matters of protecting their privacy rights, or should they take their own initiative and guide the commissioner's efforts in this highly sensitive area by helping her spot problems that call for solutions?" Olienik points out that between 2003 and 2005, Canadian privacy complaints "reversed radically" in volume. "Can this drop in the number of citizen contacts with the ombudsperson," he writes, "be attributed to the increased efficiency of government bodies in meeting and anticipating the privacy concerns of the constituency or to Canadians' growing reliance on the ombudsperson's website as a source of information about privacy?"
Full Story

DATA PROTECTION

APEC Announces New Members to CPEA (December 23, 2011)

In a press release, APEC has announced the addition of several new authorities to its Cross-border Privacy Enforcement Arrangement (CPEA). APEC launched the CPEA last year in an effort to boost regional cooperation on privacy enforcement. Fifteen Japanese agencies--including the Consumer Affairs Agency, the Cabinet Office, the National Police Agency and the Ministry of Foreign Affairs--have joined the CPEA's founding members. "The participation of privacy law enforcement authorities from Japan further strengthens APEC's cooperation arrangements to the benefit of consumers across the region," said Danièle Chatelois, chair of APEC's Data Privacy Subgroup.
Full Story

BIOMETRICS

Is a Facial Recognition Opt-Out Possible? (December 22, 2011)

Slate reports on recent advances in facial recognition and detection technology and the inherent difficulties involved when offering an opt-out for individuals in the physical world. Though facial recognition technology is not entirely sophisticated at this point, "critical questions" about personal privacy remain. The column asks, "At what point do people know they are being watched? Where can they find the privacy policy to learn what happens when they're on camera? How can they opt out if they're not comfortable with the technology?" Noting that these questions were discussed at a recent Federal Trade Commission roundtable by industry representatives, regulators and privacy advocates, the report suggests the answers and "suggestions were problematic and superficial."
Full Story

PERSONAL PRIVACY—CANADA

Commissioner Releases Report on Smart Meters (December 20, 2011)

BC's Information and Privacy Commissioner has released an assessment of BC Hydro's smart meter program and determined that the corporation is not fully compliant with the Freedom of Information and Protection and Privacy Act, CBC News reports. "I think they thought their communication was sufficient and we found it was deficient," BC Commissioner Elizabeth Denham said. The commissioner launched an investigation last summer after receiving some 600 complaints about the corporation's plans to install 1.8 million smart meters. Denham made 14 recommendations for improvement, but says BC Hydro is taking adequate measures to protect customers and that it is compliant with the law when it comes to data collection, use, disclosure, protection and retention.
Full Story

ONLINE PRIVACY

QR Codes Pose Potential Risks (December 20, 2011)

MSNBC reports on the increasing use of QR or "quick response" codes--puzzle-like square matrixes that populate ads and promotional posters to provide smartphone users with product details. Fifteen percent of consumers are using the codes, up from five percent last year. But experts say there are privacy risks involved, including the ability of the app maker to put in tracking systems and the potential for malware to be installed. "Unfortunately, this is a case of buyer beware," says malware researcher Tim Armstrong. "Being that this is a new territory, be suspicious of everything...users should always know what is being installed and when."
Full Story

DATA LOSS

Advocate Publishes 2011 Breach Report (December 19, 2011)

The Privacy Rights Clearinghouse (PRC) has released its 2011 breach tracking report, highlighting what it considers the six most significant breaches of the year. So far this year, the organization has tracked 535 breaches involving 30.4 million records, and according to PRC Director Beth Givens, this represents just a sampling of the total breaches. The PRC list of most significant breaches includes, Sony PlayStation, Epsilon, Sutter Physicians Services and Sutter Medical, Texas Comptroller's Office, Health Net and Tricare Management Activity. "These breaches highlight some important lessons, among them: the need for strict privacy and security policies; the importance of data retention policies, and the need for data to be encrypted," the report states.
Full Story

EMPLOYEE PRIVACY

OIPC Issues Social Media Guidelines (December 16, 2011)

Alberta's Office of the Information and Privacy Commissioner (OIPC) released guidelines on Thursday "warning organizations to think twice before logging on to Facebook or Twitter to vet potential employees or volunteers," the Calgary Herald reports. One expert described the guidelines, which come amidst investigations into complaints of such access, as a "wake-up call" for potential employers. An OIPC spokeswoman explained, "We're not saying you can't do it. We're saying that you need to take a really careful look at your obligations under the privacy laws and see if you can meet those requirements in social media...It's going to be very difficult to do that."
Full Story

ONLINE PRIVACY

Opinion: Data Linking Could Mean “Surveillance by Design” (December 16, 2011)

In an op-ed for the Financial Post, Ontario Information and Privacy Commissioner Ann Cavoukian weighs in on the ongoing debate about lawful access legislation, raising concern over "the lack of understanding of a key privacy issue--the ease of data linkages in an ever-increasing online world." Cavoukian suggests, "We have reached a point where information, not only as strongly identifiable as Social Insurance numbers, but also IP addresses, licence plate numbers and mobile device identifiers, serve as pointers to personally identifiable information, through an ever-expanding web of data linkages." She cautions that lawful access legislation could lead to a system of "Surveillance by Design."
Full Story

CHILDREN’S PRIVACY

Group Alleges Canadian Company Violated U.S. Law (December 16, 2011)

A child advocacy group has filed a complaint with the U.S. Federal Trade Commission alleging a Canadian company violated provisions of the Children's Online Privacy Protection Act with its interactive children's website, the Los Angeles Times reports. Among its allegations, the Campaign for a Commercial-Free Childhood contends that Ganz fails to provide a link to its privacy policy on the homepage of its Webkinz site, stating the policy itself is "vague, confusing and contradictory" and alleging third parties are allowed to track users on the site for targeted advertising. Ganz is in the process of reviewing the complaint, the report states.
Full Story

PRIVACY LAW

Experts: Avoid Settlements by Building in Privacy (December 16, 2011)

A feature in The Globe and Mail suggests the U.S. Federal Trade Commission (FTC) settlement with Facebook will require the company to "get it right" when it comes to privacy, suggesting that such settlements could be avoided if companies come to understand the importance of Privacy by Design. "It's all about being proactive and embedding the necessary protections into the design of your systems," notes Ontario Information and Privacy Commissioner Ann Cavoukian. "By doing so, you can prevent the privacy harm from arising, thereby avoiding the costs associated with data breaches." Meanwhile, the Los Angeles Times reports on a call from the Electronic Privacy Information Center for the FTC to strengthen the settlement.
Full Story

ONLINE PRIVACY

Opinion: Canadians Must Protect Their Own Privacy (December 16, 2011)

Privacy Commissioner Jennifer Stoddart has released guidelines for online behavioural advertising in an effort to protect Canadians' privacy. But an editorial in the Toronto Star questions whether that is even possible anymore. Even the regulator's request that companies be transparent about their tracking practices can't truly protect Canadian's from data miners--only individuals can protect themselves, the article states. Brian Jackson writes for IT Business that despite its best efforts to protect Canadians, the Office of the Privacy Commissioner doesn't have enough power, and until it does, Canadians themselves should demand more action when their privacy is violated.
Full Story

INFORMATION ACCESS

Legal Battle Launched Over Gun Registry (December 16, 2011)

The Montreal Gazette reports on Quebec Public Security Minister Robert Dutil's announcement that the province will launch legal action to prevent the federal government from destroying data from the federal long-gun registry once Bill C-19 becomes law. Dutil is calling Bill C-19 "a step backwards," the report states, and has quantified the planned destruction of the data as "unjust and unequitable," noting the province plans to adopt a bill to create its own gun registry if it wins the legal challenge.
Full Story

PRIVACY LAW

Opinion: Proposed Privacy Act Needs Scrutiny (December 16, 2011)

In a recent editorial, GuelphMercury.com suggests that MP Frank Valeriote's proposed Protecting Canadian Privacy Act will "generate discussion among lawmakers and many citizens" but "stands little chance of becoming law." In evaluating the bill, the editorial suggests that while it seeks to prevent the photography or filming of residents without their consent, "it poses the risk of criminalizing all sorts of actions that Canadian society would likely widely support as legal, reasonable and important." Meanwhile, a counterpoint applauds the bill as needed to stop invasions of privacy.
Full Story

INFORMATION ACCESS

Police To Continue Simultaneous Release of Info (December 16, 2011)

The Vancouver Police Board and Mayor Gregor Robertson have voted unanimously to continue the police department's (VPD) practice of disclosing classified documents simultaneously to journalists and the public, bucking a June city council's unanimous vote against the practice, reports the Vancouver Courier. One privacy advocate says the decision is a contradiction to the openness of other government agencies and an effort by the VPD to dissuade journalists from making Freedom of Information requests, noting that Information and Privacy Commissioner Elizabeth Denham spoke against the practice last May. The police board says its decision puts public interest above commercial interest and will mean "the public has access to good information in a timely manner."
Full Story

HEALTHCARE PRIVACY

Opinion: Opposing Views on Health Records Breach (December 16, 2011)

Two opinion pieces in the Edmonton Journal offer opposing views on recent electronic health network access incidents. Paula Simons writes, "We trust our healthcare providers with the most intimate personal secrets, and we expect that our privacy will be respected," suggesting those are the very reasons "malicious misuse of Alberta's Web-based health information network" have been "so disturbing." In an editorial, meanwhile, the newspaper suggests reactions to the "privacy scare" have been "overblown."
Full Story

ONLINE PRIVACY

On the Web: Weighing Convenience Against Data Protection (December 15, 2011)

BBC News reports on Web giants in the social networking and search spheres and the convenience they provide to users, suggesting privacy "is becoming the thorn in the side of this marriage of convenience." The feature examines recent calls by regulators from the EU and Canada, as well as the U.S. Federal Trade Commission, for better privacy protections from online firms. Looking at regulators' responses to such issues as cookies and shadow profiles, the report suggests, "2012 could see a change in the balance of power between Net firms and citizens, with citizens, for once, holding the upper hand."
Full Story

DATA LOSS—CANADA

Breach Linked to Criminal Activity (December 15, 2011)

An RCMP investigation has revealed that an Insurance Corporation of British Columbia (ICBC) employee inappropriately accessed the information of 65 people--13 of whom have had their property damaged by shootings or arson, reports The Vancouver Sun. The employee has been fired and is under continuing investigation, and the police are pursuing "significant investigative avenues to determine if others could be at risk," said a police spokeswoman. All 13 victims identified are affiliated with the Justice Institute of British Columbia, and police are still looking for a motive. ICBC CEO Jon Schubert expressed his concern for the victims, adding that the company is taking preventative measures.
Full Story

GEO PRIVACY

Experts Detail Concerns About Emerging Technologies (December 13, 2011)

"The sheer scale of technological change and the ingenuity with which people are using location-based service data feeds means we are always playing catch-up." That was the message from Jonathan Bamford of the UK Information Commissioner's Office at a recent privacy event, V3.co.uk reports. Considering the future of privacy, one U.S. expert suggested it may soon be impossible to opt out of sharing location data, noting, "As we match the physical world to the virtual world, by placing items such as fridges or even your car keys on the Internet, firms could have even more access to your data, your location and your life."
Full Story

STUDENT PRIVACY

BC Principal Told Not To Use Breathalyzer on Students (December 9, 2011)

Amidst privacy concerns, a secondary school principal has been asked not to use breathalyzers on students during school, The Globe and Mail reports. A spokesman for the BC Civil Liberties Association voiced privacy concerns, noting, "If these devices are in schools, they obviously need a policy." Nechako Lakes Superintendent Charlene Seguin confirmed the devices were provided to administrators in the district, explaining, "They are typically used at extracurricular activities such as dances. In this case, it was used during the day." She added she has explained to the principal that she does not want the device used during the academic day.
Full Story

PRIVACY

OPC Announces Annual Privacy Research Program (December 9, 2011)

The Office of the Privacy Commissioner (OPC) is accepting applications for its Contributions Program 2012-13, an annual privacy research and knowledge translation funding program, through January 25. In an announcement issued Thursday, the OPC noted that it is seeking "research proposals for projects aimed at promoting privacy and the protection of personal information in the private sector" with special focus on the areas of identity integrity and privacy; information technology and privacy; genetic information and privacy, and public safety and privacy. The OPC is also encouraging applicants to integrate "knowledge translation...a process by which theoretical research results get transformed into useable outcomes that end-users can apply in practice" into their proposals.
Full Story

ONLINE PRIVACY

Social Media Brings E-Discovery Challenges (December 9, 2011)

The Montreal Gazette reports on how corporations are dealing with the "mammoth task of preserving potentially discoverable data that hundreds or even thousands of employees leave on social networks and send via text messages." One e-discovery experts says, "This is, to some extent, a wake-up call. A company that hasn't yet prepared itself for litigation will have a nasty shock, a very nasty shock, if it has these multiple repositories of information." In a whitepaper on the topic, the head of Litis Consulting says corporations must have "robust, written policies on social media, chat and cloud computing," the report states.
Full Story

HEALTHCARE PRIVACY

Pharmacist Fined for Posting PII on Facebook (December 9, 2011)

An Edmonton pharmacist has been fined $15,000 for posting medical information on several people on Facebook, the Edmonton Journal reports. The pharmacist obtained the medical information from Alberta's electronic health system and posted it to the social network after a dispute with several people from her church. One of those affected noticed the information had been improperly obtained and complained to Alberta Privacy Commissioner Frank Work, who will release a full report soon. "Snooping through health information for personal purposes will not be tolerated and there will be prosecution," Work said.
Full Story

ONLINE PRIVACY

CIO Canada Debate on Cloud Computing (December 9, 2011)

Part four of the five-part ITWorldCanada series "CIO Canada Debate," explores chief information officers' attitudes on cloud computing. "They understand that cloud computing could bring cost savings and efficiencies, but some...still aren't ready to open up the processes and data to third parties," the report states. CIOs weigh in, including one who says the lack of standards is what prevents him from moving toward the cloud, and another who feels the privacy and security issues surrounding cloud adoption are overblown. "I think you should approach this as you would any data security or privacy issue," says Innovapost's David Rea. "You've got encryption, you've got (to look at) who has access to the data."
Full Story

DATA LOSS

Campus Crime Documents Misplaced by Third Party (December 9, 2011)

Winnipeg Free Press reports that 1,000 pages of campus crime reports containing students' personal details were found in a recycling bin. The reports included student names, addresses, photos and phone numbers, among other details. Red River College said it has referred the incident to the provincial ombudsman, and its president has called the incident a "very serious breach in privacy." Though the college has a policy on record disposal, an error allowed the reports to be misplaced by a private contractor cleaning service, the president said, adding that it's since reviewed its policies with the company.
Full Story

ONLINE PRIVACY

Opinion: Baking Privacy In Will Pay Dividends (December 9, 2011)

In IT Business Canada, Ontario Privacy and Information Commissioner Ann Cavoukian outlines her concerns about a new technology that functions much like an RFID tag. Cavoukian's office recently published a paper on its study of the emerging technology's potential risks. Near Field Technology (NFT) is at the point in development where privacy should be embedded, Cavoukian writes, specifically when it comes to default privacy options. Though privacy risks are mitigated by the close range the NFC requires to interact--making third-party skimming difficult--there are challenges that remain, she says, adding that baking privacy into the product will pay dividends in consumer trust.
Full Story

PRIVACY LAW

Opinion: Lawful Access Bill Debate Continues (December 9, 2011)

The debate continues over the government's lawful access legislation. In a column for The Globe and Mail, John Ibbitson questions, "Does the need to deter pedophiles, terrorists and other bad people from exploiting the Web to commit crimes and evade detection outweigh our right to surf and post without fear of being watched?" Minister of Public Safety Vic Toews responded in a letter to the editor that "The government will propose legislation that strikes an appropriate balance between the privacy rights of Canadians and the ability of police to enforce our laws." Meanwhile, Ontario Information and Privacy Commissioner Ann Cavoukian said there's little that could be considered "lawful" about the bill's provisions.
Full Story

ONLINE PRIVACY—EU & U.S.

Regulators, Advocates Want Answers on CarrierIQ (December 9, 2011)

After computer programmers discovered that CarrierIQ software--used by many smartphone service providers--logs users' keystrokes and other personal information, European regulators have begun taking preliminary steps toward a possible investigation into violations of EU data protection laws. Deutsche Welle reports that authorities in Germany and Ireland have questioned mobile phone carriers and makers, and regulators in the U.K., France and Italy are reviewing whether the software is used in their jurisdictions. In the U.S., the company is facing four lawsuits and possible inquiries by three federal agencies. The report states that CarrierIQ's unwillingness to disclose which phones and carriers use its service is particularly concerning to privacy regulators.
Full Story 

DATA LOSS

Data of 3.5 Million Online Poker Players Exposed (December 8, 2011)

A defunct gambling site experienced a breach affecting 3.5 million members this past weekend, SecurityNewsDaily reports. The names, screen names, birth dates, phone numbers and IP, home and e-mail addresses of Ultimate Bet users in Canada, the U.S., the UK and elsewhere were posted to online poker forums, the report states. The data was removed after eight minutes.
Full Story

PRIVACY LAW—U.S. & CANADA

Border Security Pact Unveiled (December 8, 2011)

The long-anticipated "Beyond the Border" perimeter security pact between the U.S. and Canada has been unveiled, The Vancouver Sun reports. The plan is aimed at improving security and harmonizing regulations for both nations, but privacy advocates have voiced concerns over the amount of data that will be shared. The new plan will enhance the tracking of travelers in the U.S. and Canada to identify threats and will allow more information--including biometrics--to be obtained from individuals seeking to enter either country. Canadian Privacy Commissioner Jennifer Stoddart says her office will conduct a complete review of the deal. She noted both countries have agreed to develop joint privacy principles by next May.
Full Story

ONLINE PRIVACY

Survey: Social Networkers Care About Privacy (December 8, 2011)

A recent survey conducted by the Asia Pacific Privacy Authorities has revealed that people care about their privacy when it comes to social networking sites, according to a press release from New Zealand Privacy Commissioner Marie Shroff's office. More than 10,000 individuals in Mexico, Australia, New Zealand, Hong Kong and Korea completed the survey, which found that 55 percent of respondents "said they would stop using a site that used their information in a way they hadn't expected." Fifty percent said they were uncomfortable with being tracked online for marketing purposes; however, 65 percent said they do not read privacy policies or terms and conditions.
Full Story

BEHAVIORAL TARGETING—CANADA

Stoddart Releases Online Advertising Guidance (December 6, 2011)

Privacy Commissioner Jennifer Stoddart has released a new guidance document on the use of online behavioral advertising aimed at helping advertisers, websites and browser developers ensure that they are compliant with Canada's private-sector privacy law. "The use of online behavioral advertising has exploded and we're concerned that Canadians' privacy rights aren't always being respected," Stoddart said, adding that Canadians should easily be able to opt out of being tracked online. The guidelines also address tracking children online and whether children are capable of providing "meaningful consent."
Full Story

PRIVACY LAW

Court Refusal Concerns Commissioner, Has National Implications (December 2, 2011)

Alberta Information and Privacy Commissioner Frank Work says that the province's Personal Information Protection Act (PIPA) needs to be updated in light of the Supreme Court of Canada's refusal to review an appeals court decision overturning his office's earlier findings, the Financial Post reports. The case involves the practice of requiring customers at Leon's Furniture to provide their driver's licenses when picking up furniture, which the office found in breach of PIPA. Work said, "The decision could be used to challenge what were thought to be reasonable, nationally accepted limits on the collection of personal information by private-sector organizations. We are moving backwards." The litigator representing Leon's said, "The overall message...is that privacy is important but it need not be the only overriding value out there."
Full Story

PRIVACY LAW

Border Plan Raises Privacy Concerns (December 2, 2011)

CTV.ca reports on the new 32-point information sharing border plan that will be signed into law next week by Prime Minister Stephen Harper and U.S. President Barack Obama and the concerns expressed by Privacy Commissioner Jennifer Stoddart. Though the system will help keep track of illegal immigrants, war criminals and terrorists, there will be vast amounts of information shared between the two nations. Stoddart says that her office has not been consulted on the plan, the report states, and there should be narrow limits placed on what types of data are shared with U.S immigration officials, the report states. Assistant Privacy Commissioner Chantal Bernier said, "In any agreement, Canadian privacy protections and practices need to be protected." CTV's Ottawa bureau chief said that border officials will be able to pass additional "info on to the U.S. and vice-versa, and this is the grey area where the privacy commissioner wants to make sure there are strict controls over how this information is shared."
Full Story

BEHAVIOURAL TARGETING

OPC To Release OBA Guidance (December 2, 2011)

Privacy Commissioner Jennifer Stoddart is planning to release a document with guidance for online behavioral advertising (OBA) at a conference next week, Marketing Magazine reports. The Office of the Privacy Commissioner (OPC) has been consulting with industry groups to discuss issues such as online privacy, data tracking and behavioural modeling, according to the report. The document is set to provide "some specific guidance related to online behavioural advertising." Meanwhile, the Women's Executive Network has named Stoddart to its list of the top 100 most powerful women in the nation. The annual honour goes out to Canada's "highest-achieving female leaders" in the fields of business, charity, medical and public sectors, according to the Edmonton Sun.
Full Story

PRIVACY LAW

Committee Selects New Commissioner (December 2, 2011)

The Edmonton Journal reports that a government search committee has recommended former assistant commissioner Jill Clayton as the next Information and Privacy Commissioner of Alberta. Clayton has been part of a team that ensures entities are in compliance with Alberta's Personal Information Protection Act (PIPA). She also worked as the director of PIPA between 2008 and 2011. Clayton will be replacing Frank Work, who has served as the commissioner since the office was enacted in 1995. The committee is slated to present the recommendation to the legislature next week. If approved, Clayton's term would begin February 1.
Full Story

HEALTHCARE PRIVACY

Doctor Investigated for Improper EHR Access (December 2, 2011)

After an investigation by Alberta Information and Privacy Commissioner Frank Work, a Covenant Health physician was found to have improperly accessed the electronic health records of a patient and has been referred to the provincial College of Physicians and Surgeons, CBC News reports. The investigation also revealed that the healthcare organization did not appropriately train physicians on securing their accounts and that it was common for staff to access electronic records by using whatever account was open at a given time, the report states. Covenant Health's chief privacy officer said the incident came as a surprise, adding, "It was pretty disappointing for us to learn that a physician working at one of our sites didn't follow our policies to protect patient privacy." The clinic has taken action to help mitigate improper access in the future.
Full Story

INFORMATION ACCESS

Outgoing Commissioner Submits Warning, Proposals (December 2, 2011)

Alberta's outgoing information and privacy commissioner, Frank Work, has released a report warning that the provincial government has implemented loopholes that put Alberta's freedom of information laws at risk, the Edmonton Journal reports. Work said that the existence of loopholes, numbering in the dozens, "calls into question the legislature's commitment" to the freedom of information law. Meanwhile, Work has issued six recommendations to ensure that the government practice of using secondary e-mails complies with the province's freedom of information legislation. In addition to creating secondary e-mail policies for government agencies, Work says individuals in a ministry--including staff--should undergo mandatory training on freedom of information legislation and records management, the report states.
Full Story

PRIVACY LAW

Cavoukian: Courts Are Out of Touch (December 2, 2011)

Ontario Information and Privacy Commissioner Ann Cavoukian said that recent court decisions will have a negative effect on citizens' privacy rights, The Ottawa Citizen reports. Speaking at a conference in Ottawa, Cavoukian also said that the government's two lawful access bills will be an "expansion of surveillance without judicial authorization. This should scare you." Cavoukian added that courts across the nation are not in touch with the current digital landscape, the report states. She said, "I have no faith in the judiciary anymore...I don't want to leave it to the courts to decide these things," adding that the Supreme Court of Canada's ruling not to hear a privacy case in Alberta raises concerns. Cavoukian and other privacy commissioners have filed for intervernor status in the Alberta case. "For the first time, I am very concerned about the creep of surveillance expanding."
Full Story

Commissioner Releases NFC Whitepaper (December 2, 2011)

With the rise in use of near field communication (NFC), Ontario Information and Privacy Commissioner Ann Cavoukian has released a whitepaper discussing the privacy implications involved with the new applications, itbusiness.ca reports. Written in conjunction with phone maker Nokia, "Mobile Near Field Communication Tap 'n Go--Keep It Secure and Private" promotes building privacy safeguards into the development of the technology. Cavoukian said, "User privacy does not have to be sacrificed for the sake of NFC...Now is the time to embed additional security and privacy into the design of applications that use NFC capabilities."
Full Story

PERSONAL PRIVACY

Mobile Software Company Faces Scrutiny (December 2, 2011)
Smartphone software maker CarrierIQ has said in a statement that it does monitor all keystrokes on mobile devices but only for "legitimate purposes," thinq.co.uk reports. The company said its "software does not record, store or transmit the contents of SMS messages, e-mail, photographs, audio or video." In an open letter to the company, U.S. Sen. Al Franken (D-MN) queried why the application "captures a broad swath of extremely sensitive information from users that would appear to have nothing to do with diagnostics," adding, "These actions may violate federal privacy laws...This is potentially a very serious matter." The company has asserted that it has not breached any "wiretap laws." France's data protection authority has said in an e-mail that it is also investigating the matter. Meanwhile, companies including Google, Apple and Microsoft are distancing themselves from the software, and phone carriers that use CarrierIQ say they do not collect users' personal information.

PRIVACY

Expert: Attorneys Increasingly Important in Breach Responses (December 1, 2011)

Data breaches are all about reputational risk, says Hunton & Williams Managing Partner Lisa Sotto in this BankInfoSecurity podcast. Attorneys play increasingly integral roles in data breach responses, Sotto says, including deciding what steps must be taken beyond a jurisdiction's data breach notification mandates. "The law only requires that an entity notify those who had sensitive information compromised, like Social Security numbers. But now we know other things, like e-mail addresses, can lead to compromise through social engineering and phishing," Sotto says. 
Full Story

ONLINE PRIVACY

Exploring the Privacy Button (November 28, 2011)

In a podcast, The New York Times' media desk reporter, Tanzina Vega, discusses one company's attempt to offer its users an easy-to-use method to control their online data while exploring how the One Click Privacy button works. The new control, made by BrightTag, comes out while the Federal Trade Commission and the World Wide Web Consortium work on the creation of do-not-track standards. (Registration may be required to access this story.)
Full Story

PRIVACY LAW

Supreme Court Won’t Hear Appeal (November 25, 2011)

The Supreme Court of Canada will not hear an appeal of a lower court's ruling concerning a retailer's data collection practices, Macleans reports. Alberta Privacy Commissioner Frank Work sought the Supreme Court's involvement after the Alberta Court of Appeal ruled in June that Work's attempt to nix Leon's practice of collecting driver's licence numbers from customers "allowed the privacy rights of the individuals to outweigh the rights of the business," the report states. "It's really a victory for a reasonable approach for these privacy issues," said Geoff Hall, a lawyer for Leon's, in responding to the Supreme Court's decision not to hear the case.
Full Story

INFORMATION ACCESS

Commissioner: Deleting Data Breaks Law (November 25, 2011)

The Canadian Press reports that Information Commissioner Suzanne Legault has told a Commons committee that a bill introduced last month to cease the registration of long guns and delete more than seven million records in the federal long-gun registry "would set a bad precedent for the destruction of government records" and violate the Library and Archives of Canada Act. Also speaking before the committee, Privacy Commissioner Jennifer Stoddart "urged caution in destroying the data, pointing to regulations that require institutions to keep records for at least two years," the report states. 
Full Story

DATA PROTECTION

Councillor Requests Mailing List Investigation (November 25, 2011)

A local official is requesting that Elections Canada investigate the source of a mailing list used by a campaign group, Canada.com reports. Comox Valley Common Sense group paid Canada Post to deliver personally addressed cards to voters, the report states, including one addressed to Courtenay Councillor Ronna-Rae Leonard's mother at Leonard's home. But Leonard's mother was deceased and never lived at that address. "My concern is about a breach of privacy and the potential for identity theft," Leonard said, adding that "if an anonymous group can get hold of such personal details, I want to know where from and what the implications might be."  
Full Story

INFORMATION ACCESS

Dickson: Review Reports Show Trend in Denying Access (November 25, 2011)

Saskatchewan Privacy Commissioner Gary Dickson has reprimanded the City of Saskatoon for obstructing the public's access to information under The Local Authority Freedom of Information and Protection of Privacy Act, reports News Talk 650. In three Review Reports issued this week, Dickson highlights instances where information access has been denied. He says the trend "suggests a systemic issue or problem that warrants some attention by the mayor."
Full Story

DATA PROTECTION

University Plans To Outsource E-mail Service (November 25, 2011)

Plans by Ryerson University to outsource its e-mail services to a private company have some concerned about privacy and security, the Toronto Star reports. Ryerson plans to use Google Apps Education Edition system, a move similar to that of Lakehead University in 2006, which prompted that university's faculty union to file a grievance that their privacy and academic freedom were infringed upon. Since Google is a U.S. company, the U.S. government could potentially require Google to provide access to such data under the USA PATRIOT Act, the report states. The grievance was dismissed with the arbitrator saying e-mails should be considered as confidential as postcards. 
Full Story

PRIVACY LAW

NDP Warns of e-Communications Legislation (November 25, 2011)

The New Democratic Party's (NDP) critic on privacy issues has warned that the proposed electronic communications monitoring law contains elements that he considers "very disturbing," Lavalnews.ca reports. Warnings from Timmins-James Bay MP Charlie Angus came after the federal privacy commissioner expressed similar concerns to Public Safety Minister Vic Toews last month. Angus says his number one concern with the legislation is the ability for the police to access warrantless geotracking information of individuals "simply on a hunch or on a whim...The tracking information gives an enormous amount of power to the police." 
Full Story

PERSONAL PRIVACY

Group Seeks Citizens’ Petition on Smart Meters (November 25, 2011)

Organizers of a group opposed to smart meters confirmed at a recent press conference that they will seek public support to use the Recall and Initiative Act to prevent BC Hydro's continued installation of household smart meters, The Vancouver Sun reports. The group, StopSmartMeters.ca, says health and privacy are among their concerns, and neither the utility nor the provincial government has been responsive to their objections. Board members Walt McGinnis and Steve Satow are asking citizens to register their objections on its website.
Full Story

ONLINE PRIVACY

Privacy-Focused Browser Extension Released (November 23, 2011)

PCWorld reports on a team of European and U.S.-based privacy researchers and product designers that has released "a browser-based implementation of Privicons, a project that aims to provide users with a simple method of expressing their expectations of privacy when sending e-mail." The "Privicons" are six icons matched with instructions such as "don't attribute" or "keep private" that users can add to their e-mails "to instruct recipients about how to handle a message or its content," the report states. Project proponents note it is based on user choice rather than the technological enforcement used for most e-mail privacy efforts. 
Full Story

DATA THEFT

Company Reports Attempted Hack (November 22, 2011)

PCWorld reports that AT&T has notified customers of an "organized and systematic" attempt to access their personal account information. In an e-mail, the company said that it did not "believe that the perpetrators of this attack obtained access" to the accounts when using auto script technology to "determine whether AT&T telephone numbers were linked to online AT&T accounts." The company said it will investigate the incident.
Full Story

EMPLOYEE PRIVACY—CANADA

Review: Board Must Protect Privacy (November 21, 2011)

The Chronicle Herald reports on the completion of a review of the Workers' Compensation Board of Nova Scotia launched in January by Dulcie McCallum, the province's freedom of information and privacy review officer. "Internal memos show that the board has broken the province's privacy law with 155 breaches of clients' personal information over a 32-month period," the report states, noting the review includes 21 recommendations for improved data protection and advises the board "to put privacy on a higher plane and recognize that it is the guardian of sensitive personal and personal health information." The board's CEO has said it plans to adopt all of the report's recommendations.
Full Story

PRIVACY

OPC Annual Report Spotlights Concerns (November 18, 2011)

Government data breaches, "disturbing gaps" in the way police manage personal information and concerns about airport security are among the issues highlighted in Privacy Commissioner Jennifer Stoddart's annual report. In addition to the full report, the Office of the Privacy Commissioner (OPC) has published an audit of selected RCMP databases and one on airport security practices. The report also highlights a "record number of breaches of personal information" reported by the government, the National Post reports--up 38 percent from the previous year. But, the OPC report notes, that may not be cause for alarm because it could "simply mean that organizations are becoming more diligent in reporting incidents to us."
Full Story

DATA LOSS

Study Finds Gov’t Insider Breaches Soaring (November 18, 2011)

CBC News reports on a new study indicating that government Internet data breaches by insiders are on the rise. While IT security breaches across all sectors dropped by 50 percent--with government breaches dropping 23 percent from 2010--that was not the case for insider breaches in the government sector, which include both malicious and accidental incidents. Insider breaches "grew by 28 percent between 2010 and 2011 and are up 68 percent since 2008," the report states, now comprising 42 percent of those reported by government entities. That compares to insiders being responsible for 27 percent of breaches at public organizations and 16 percent at private businesses, the report states.
Full Story

TRAVELERS’ PRIVACY

Commissioner Raises Airport Data Collection Concerns (November 18, 2011)

"The Government of Canada is collecting too much information about some air travelers and is not always safeguarding it properly." Those findings were included in an audit published this week by Privacy Commissioner Jennifer Stoddart that reviewed Canadian Air Transport Security Authority privacy policies and practices. The commissioner has determined the authority reached "beyond its mandate" by collecting information on passengers in ways that were "not related to aviation security." The audit also found "types of personal information collected by the agency were not always properly secured" and that prohibited items--including closed-circuit television cameras--were located in full-body scan screening rooms.
Full Story

DATA PROTECTION

BC Commissioner Seeks Budget Increase (November 18, 2011)

BC Privacy Commissioner Elizabeth Denham yesterday asked a committee of MLAs for a budget increase to account for new work that her office will take on in the coming year, The Victoria Times Colonist reports. Denham wants $490,000 to fund a new team that will handle the work associated with reviewing and writing rules on cross-ministry data sharing, the report states. Denham's office was tasked with this work under reforms to the provincial Privacy Act passed last month. "The reality is that these types of massive data-linking initiatives, if not done with proper regard for protection of privacy or robust independent oversight, is a privacy disaster in the making," Denham told the committee.
Full Story

PRIVACY

Cavoukian Named Among Canada’s Top Influential Women (November 18, 2011)

Ontario Information and Privacy Commissioner Ann Cavoukian has been named one of Canada's 25 most influential women by Women of Influence, Digital Journal reports. The award cites Cavoukian's work in protecting privacy and recognizes her as one of the leading privacy experts in the world. "I am deeply honored at being included in this distinguished group of women and hope to shine greater attention to the pursuit of preserving our freedoms, which are built up on a bedrock of privacy," the commissioner said.
Full Story

ONLINE PRIVACY

CEO Discusses Complexity of Privacy on the Web (November 18, 2011)

A company that ranks users' online influence using their social media activity is facing criticism for creating "shadow profiles" of non-users without permission, and while some are criticizing the company, others say it is using the same practice as many others by scouring the Web for data and aggregating it. In a Q&A with itbusiness.ca, Klout CEO Joe Fernandez discusses the "privacy wake-up call," noting the complexity of privacy in a social networking world and adding, "The biggest thing we screwed up was just surprising all of our users."
Full Story

PRIVACY LAW

OPC Seeks Legal Agent Submissions (November 18, 2011)

The Office of the Privacy Commissioner (OPC) Legal Services, Policy and Research (LSPR) Branch has announced it "is inviting Expressions of Interest (EOI) from interested lawyers or law firms with demonstrated competence and ability to comply with the criteria set out in the EOI and the related Schedule A" through November 30. "To carry out the mandate of the LSPR Branch, the OPC relies on in-house counsel as well as private-sector lawyers, both domestic and international, to deliver legal services where demand for services exceeds available internal resources and/or expertise," the announcement notes. Full details are available through the OPC website.
Full Story

ONLINE PRIVACY

Company Offers WiFi Opt-Out (November 16, 2011)
Google has agreed to provide a WiFi opt-out method for users who prefer to keep the names and locations of their wireless routers out of the company's database. The move comes after the company faced increased pressure from data protection authorities in the Netherlands, The New York Times reports.

ONLINE PRIVACY

Should Consumers Worry? Experts Share Views (November 16, 2011)

The Wall Street Journal assembled a diverse panel of experts to discuss the degree to which individuals should worry about their online privacy, including topics such as social network privacy controls, online behavioral advertising and government surveillance. Panelists included Steptoe & Johnson Partner Stewart Baker, Microsoft Senior Researcher danah boyd, CUNY Graduate School of Journalism Prof. Jeff Jarvis and Open Society Institute Fellow Christopher Soghoian. "If we overregulate privacy managing only to the worst case," said Jarvis, "we could lose sight of the benefits of publicness, the value of sharing." Personal data collected by firms "is like toxic waste," said Soghoian, "eventually, there will be an accident that will be impossible to clean up, leaving those whose data has spewed all over the Internet to bear the full costs of the breach." (Registration may be required to access this story.) Editor's Note: Jeff Jarvis will deliver a keynote address at the IAPP Global Privacy Summit 2012.
Full Story

PRIVACY LAW

APEC Endorses Cross-Border Rules (November 15, 2011)

At a meeting in Hawaii this week, the Asia-Pacific Economic Cooperation (APEC) leaders endorsed the APEC Cross-Border Privacy Rules (CPBRs), reports Hunton & Williams' Privacy and Information Security Law Blog. Implementing the rules enables data flow across borders "while enhancing data privacy practices; facilitating regulatory cooperating, and enabling greater accountability through the use of common principles, coordinated legal approaches and accountability agents," said an APEC statement. Welcoming the approval of the rules, FTC Commissioner Edith Ramirez said they have the potential to "significantly benefit companies, consumers and privacy regulators." The APEC Data Privacy Subgroup will next begin developing the structure for CBPR implementation, the report states. 
Full Story

PRIVACY LAW—CANADA & U.S.

Stoddart: Border Agreement Shouldn’t Sacrifice Privacy (November 15, 2011)

The perimeter agreement negotiations currently underway between Canada and the U.S. "can easily be compared to two individuals drastically redefining their relationship," writes Canadian Privacy Commissioner Jennifer Stoddart in The Huffington Post Canada. Noting that both countries "strongly value their privacy and realize its importance to the vitality of our democracies," Stoddart points out that "some key legislative differences on privacy protection exist between our countries," meaning that Canadians should "think about what we share and where we differ." Stoddart highlights three main differences between U.S. and Canadian approaches to privacy, including the protection of citizens' privacy from the federal government; national privacy legislation and an independent authority to oversee privacy issues.
Full Story

BIOMETRICS

Creepy or Cool? Facial Recognition Is on the Rise (November 14, 2011)
From digital billboards that target advertising based on the demographics of passersby to an app that scans bars determining the average age and gender of the crowd to Facebook's "Tag Suggestions" feature, facial recognition is looking like the wave of the future, The New York Times reports. While some see the trend as an opportunity to offer and receive relevant information, others are concerned about potentially more intrusive uses of the technology.

INFORMATION ACCESS

Appeals Court: Commissioner Has Right To Access Files (November 11, 2011)

Newfoundland and Labrador Information and Privacy Commissioner Ed Ring is pleased with a court of appeal ruling that the provincial Department of Justice (DOJ) should have turned over information he requested, Lawyers Weekly reports. The DOJ had denied Ring's request for records, claiming solicitor-client privilege under the Access to Information and Protection of Privacy Act. Overturning a Supreme Court Trial Division ruling, Justice Michael Harrington wrote in his decision that "the commissioner's routine exercise of his authority to review solicitor-client privileged materials is absolutely necessary." Ring's attorney called the decision a "very important one."  

Full Story

PRIVACY LAW

Commissioner’s Office Investigating Veterans Affairs (November 11, 2011)

The Office of the Privacy Commissioner (OPC) says an audit of Veterans Affairs Canada's privacy practices will be released early next year, CBC News reports. The announcement follows complaints from a third veteran, Sylvain Chartrand, that his medical records were accessed 4,000 times in seven years. Veteran Sean Bruyea claimed last year that his records were inappropriately accessed, resulting in some Veterans Affairs officials being reprimanded or suspended and prompting a second veteran to come forward. "We are currently conducting an audit of Veterans Affairs," said OPC spokeswoman Anne-Marie Hayden. "It is examining, at a systemic level, the department's personal information management practices and compliance with federal privacy legislation."

Full Story

DATA LOSS

Researchers Used Socialbot To Collect Personal Data (November 11, 2011)

A study conducted by University of British Columbia researchers says Facebook's security system failed to stop a Facebook imposter  from collecting personal information about thousands of members, reports the Edmonton Journal. The researchers will present a paper at a conference next month announcing that they used "socialbots" to collect 250 gigabytes of information from Facebook users over an eight-week period. The data included e-mail addresses, phone numbers and other profile information, the report states. An Edmonton Journal op-ed says the information the socialbot was able to glean is the fault of the users who uploaded the information, not Facebook.

Full Story

BIOMETRICS

Police Say Fingerprinting Not a Done Deal (November 11, 2011)

Niagara police say they may not pursue a study that could ask strippers, cabbies and bus drivers to provide fingerprints on the job, reports The Standard. The Niagara Regional Police licensing unit is investigating biometrics as a way to protect against identity theft, but there has been public concern. Vaughn Stewart, acting chair of the police board's licensing committee, said any program would be thoroughly considered before implemented. "We would need legal opinions on this, whether it's appropriate. It's like the airport. Do you like being patted down and having to take your shoes off? Society has made the decision that those little infringements are for the greater good," Stewart said.

Full Story

DATA PROTECTION

Commissioner Launches Guide for Teachers (November 11, 2011)

Ontario Information and Privacy Commissioner Ann Cavoukian has launched a new guide for high school teachers on privacy, Digital Journal reports. The Resource Guide for Grade 11/12 Teachers aims to "engage students' interest and stimulate group discussion on a variety of timely topics," the report states. The commissioner's office launched a similar guide for grade 10 teachers last year. "As technology continues to evolve, it is...important to educate teens about privacy protection and the fact that privacy is not about secrecy--it is about the right of individuals to control their own personal information."

Full Story

DATA LOSS

CRA Employee Loses Tax Data on 2,700 (November 11, 2011)

Privacy Commissioner Jennifer Stoddart is asking why she was never informed of a 2006 Canada Revenue Agency (CRA) data breach in which an employee copied the tax records of almost 2,700 citizens to CDs--and allowed a portion of those to be downloaded to a friend's laptop, reports CTV. During a 2008 grievance hearing against CRA, the employee produced the CDs and asked the panel to read an e-mail saved to one of them, triggering an investigation into the data security practices of the organization. While the disks have been recovered, the laptop is still missing. The CRA says the investigation shows the data was deleted from the laptop "in such a way that an average user could not access through a normal operating system." 

Full Story

SOCIAL NETWORKING

A Look At One Site’s Privacy Changes (November 11, 2011)

Financial Times reports on Facebook's history with privacy regulators. Most recently, Ontario Information and Privacy Commissioner Ann Cavoukian said she's "disappointed" that Facebook has "gone in a direction that is not in line with privacy." But the company's first brush with privacy regulators came in July 2009 with a report from Privacy Commissioner Jennifer Stoddart on its "serious privacy gaps." The report incited changes to the company's privacy policy that limited the amount of data third-party applications could collect and required specifications on personal information accessed. Facebook CEO Mark Zuckerburg called the company's changes "a pretty big overhaul to the system we have." (Registration may be required to access this story.)   

Full Story

DATA LOSS

Gaming Service Breached (November 11, 2011)

V3.co.uk reports that hackers have infiltrated the systems of Valve--a games developer--and accessed customer data from the company's Steam networking service. In addition to "defacement" of Steam's online forums, a database containing user names, e-mail addresses, purchase histories and billing addresses was accessed. Valve also said that credit card numbers and passwords were obtained but were encrypted. A statement from Valve said, "We do not have evidence that encrypted credit card numbers or personally identifying information was taken by the intruders, or that the protection on credit card numbers or passwords was cracked." The online forums will remain disabled while an investigation ensues.  
Full Story

DATA PROTECTION

Carrots, Sticks and Big Data (November 11, 2011)

In The Mercury News, Larry Magid summarizes last week's 33rd International Conference of Data Protection and Privacy Commissioners in Mexico City. Magid observes that "there are tensions not only between regulators and those they regulate but among regulators themselves, who don't always agree on just whether they should be wielding sticks or dangling carrots." Meanwhile, the Mexico City Declaration has been published online, revealing global data protection authorities' intentions for the coming year, which include a commitment to explore transparency mechanisms; communicate about priorities and resource allocation, and "share knowledge among themselves and with privacy validation bodies and organizations of privacy professionals," among other measures.      

Full Story

DATA LOSS

Experts: CPO, Plans Needed To Avoid High-Cost Breaches (November 11, 2011)

"Having a good plan in place can seriously reduce the costs resulting from the breach as, in these kinds of situations, the longer things run without being dealt with in the proper fashion, the more costly it can get." That's the message from one of the cyber-risk experts sharing insights on guarding against high-cost data breaches in a Financial Times feature. Given the ever-increasing amount of personal data that companies hold about their customers, the report highlights safeguards that apply across jurisdictions and borders, including having a breach response plan and a dedicated chief privacy officer in place. (Registration may be required to access this story.)    

Full Story

PRIVACY

Science Fiction Comes to Life with IoT (November 10, 2011)

Computerworld reports on the emergence of the Internet of Things (IoT)--"where anything with intelligence (including machines, roads and buildings) will have an online presence"--and ways in which classic science-fiction scenarios are coming true. A representative from Cisco predicts that there will be 50 billion connected devices by the year 2020. Social networks would act as the connective tissue between them. "In the coming years, anything that has an on-off switch will be on the network...I foresee it in just about every industry and stream of life," he says. The IoT brings with it concerns about security and privacy protection. A representative from the Massachusetts Institute of Technology said, "Basic e-mail is still getting hacked, and we've had that for 25 years."   
Full Story

PRIVACY LAW

Multinationals Struggle To Comply With Varied Laws (November 9, 2011)

Describing online privacy as "an issue of central importance for businesses in every industry," Financial Times explores the efforts of policymakers to strengthen existing privacy laws and introduce new ones as Internet technologies evolve ahead of legislation. "The rules differ widely from country to country, with varying degrees of enforcement," the report states, noting that from the sectoral privacy regulations of the U.S. to those "stricter laws" in place in such countries as the UK, Germany and Canada, "the large and growing body of different national privacy regimes means that multinational businesses operating in many markets, face an increasingly difficult task in complying with them all." (Registration may be required to access this story.)
Full Story

DATA LOSS

Company Takes Down Websites After Breach (November 7, 2011)

Adidas has taken down some of its websites after it learned of a "sophisticated, criminal cyber attack" last week, The Inquirer reports. The company has said it does not believe consumer data was compromised, but as a precaution, it took the sites offline while it conducted a "thorough forensic review." The company has implemented more security measures and said, "nothing is more important to us than the privacy and security of our consumers' personal data." 
Full Story

DATA LOSS

Medical Records Lost in Two Incidents (November 4, 2011)

British Columbia Information and Privacy Commissioner Elizabeth Denham has initiated an investigation into two separate incidents involving compromised government medical records, CBC News reports. In a written statement, Denham said that one incident involves a lost unencrypted laptop that contains personal information of approximately 450 patients of the Vancouver Coastal Health Authority. A second incident involves improper disposal of Ministry of Children and Family Development records, which contained names, addresses, birth dates and client health card numbers, according to the report. Of the incidents, Denham said, "British Columbians have a right to expect that ministries and health authorities will take all reasonable steps to protect their personal information."
Full Story

PRIVACY LAW

University Responds To Commissioner (November 4, 2011)

Memorial University has responded to Newfoundland and Labrador Information and Privacy Commissioner Ed Ring's ruling that the school breached the Access to Information and Protection of Privacy Act (ATIPPA) when it created a health and employment records registry, VOCM.com reports. A representative from the university said that the privacy commissioner's ruling is concerning because it raises issues that the representative claims are not covered by the ATIPPA.
Full Story

PRIVACY LAW

Gun Registry Data Sharing Debate Continues (November 4, 2011)

The Toronto Star reports on Privacy Commissioner Jennifer Stoddart's response to a request for information regarding information sharing provisions within the Privacy Act. With Bill C-19, the Conservative majority government hopes to eliminate the federal gun registry, spurring public debates about certain provisions of the bill and media reports suggesting that gun registry information could be shared with provinces and territories, which appears to be contrary to statements made earlier by Minister Vic Toews. To highlight this, an NDP MP made public a letter from the privacy commissioner written in response to questions about the information sharing. While the letter points to a section of the Privacy Act that could permit the disclosure, in appropriate circumstances, the Office of the Privacy Commissioner has not commented on Bill C-19 and whether or not such a disclosure would be appropriate.
Full Story

PRIVACY LAW

Opinion: Anti-Spam Legislation Likely Delayed (November 4, 2011)

Writing in the Ottawa Citizen that it's "déjà vu all over again," Michael Geist contends that the anti-spam bill will likely be delayed because "the same groups" are making "the same arguments" against passing the current draft legislation. Over the summer, Industry Canada and the Canadian Radio-television and Telecommunications Commission called for comments on the bill, which generated arguments to amend it. "Some of the suggested changes make sense," Geist says, "and have garnered near universal support...Yet, for every legitimate regulatory concern, there seems to be a group that wants to reopen the carefully crafted legislative compromise." Geist adds, "The relentless campaign against the legislation has proven effective as it appears virtually certain that the government will now delay its implementation."  
Full Story

ONLINE PRIVACY

Opinion: Privacy Choices Should Remain Private (November 4, 2011)

In a column for The Huffington Post, Michel Kelly-Gagnon questions whether citizens should trust the government to protect their online privacy. Choosing a "social life in favour of privacy" and "sacrificing some privacy in order to have more of a social life" is a choice everyone should have the right to exercise. "Some people," Kelly-Gagnon writes, "seem to think that individuals are not wise enough to make these choices and that somebody has to decide for them and impose the same trade-off on everybody." Private companies, he asserts, have incentives to keep consumer data private. "I am simply proposing to rely mostly on private choices" to address privacy issues, Kelly-Gagnon writes.
Full Story

SOCIAL NETWORKING

Opinion: Gov’t Youth Program Takes Wrong Approach (November 4, 2011)

In column for Macleans.ca, Emma Teitel writes that the federal government is taking the wrong approach in its youth privacy initiative because the program "fails to address what is arguably the most insidious social media problem facing youth today: it's impossible for them to control who takes their picture and where they turn up online...The reality is that avoiding being in a single party picture on Facebook means avoiding the party altogether." While the campaign says, "If you don't want a future college/job/internship/scholarship/sports team to see it, don't post it publically," Teitel says that's "difficult to manage, especially when you're not the one taking or posting the photos."  
Full Story

PRIVACY LAW

Nunavut Proposes Privacy Act Amendments (November 4, 2011)

After finalizing a review of the Access to Information and Protection of Privacy Act, the government of Nunavut has announced that it will propose amendments that will provide improved "accountability and transparency," Nunatsiaq Online reports. Speaking in front of the legislative assembly last week, Nunavut Premier Eva Aariak said, "The major change to be considered is to make privacy oversight mandatory." The government of Nunavut has said that it will present amendments by the end of 2012.
Full Story

BEHAVIORAL TARGETING

Google Releases Opt-Out Feature for Users (November 3, 2011)

Google has released a new feature to explain why Google search and Gmail users have been targeted by advertisements and allow them to opt out of such ads from future search page results, reports The Wall Street Journal. "Why These Ads" is an effort to increase company transparency when it comes to behavioral advertising, the company's senior vice president of advertising wrote in a blog post. "Because ads should be just as useful as any other information on the Web, we try to make them as relevant as possible for you. Over the coming weeks, we're making improvements to provide greater transparency and choice regarding the ads you see on Google search and Gmail," the blog states. (Registration may be required to access this story.)  
Full Story

ONLINE PRIVACY

IAB Issues Guide on Data Uses (November 3, 2011)

The Interactive Advertising Bureau (IAB) has published a new guide to help media planners, publishers and data providers communicate about their data uses, MediaPost News reports. The "Data Segments and Techniques Lexicon" aims to give "relevant parties a common set of terms and collection methods around the use of data to create audience segments for online campaigns," the report states. The guide provides instruction on the use of data for behavioral targeting; defines terms such as first- and third-parties, and clarifies various categories of user data, such as "inferred," "predictive" and "descriptive" data.  
Full Story

SOCIAL NETWORKING

Impending “Timeline” Release Elicits Concerns (November 3, 2011)

USA TODAY reports on Facebook's impending overhaul of its members' profile pages with the unveiling of its new "Timeline" feature. The feature will display members' history on Facebook comprehensively, which has drawn criticism from privacy advocates. "Things, over time, get harder to find, and that is sometimes a good thing," said Marc Rotenberg of the Electronic Privacy Information Center (EPIC). In letters to the Federal Trade Commission, EPIC has voiced concerns that Facebook should "honor its past commitment to privacy settings," the report states. Facebook says users will have five days to hide aspects of their profiles that they don't want as part of their history. 
Full Story

PRIVACY LAW

Expert: Global Harmonization Needed for Cloud (November 2, 2011)

In an interview with BankInfoSecurity, Internet security expert Alastair MacWillson says that inconsistent data protection laws in various markets are proving to be a difficult challenge for large organizations using cloud-based services. "Much like any innovation," he says, "it takes a lot of people to talk about the opportunities and also the risks, and it takes a little bit longer for the technology guys to catch up." MacWillson discusses the interstate and international challenges organizations face, advantages provided by the cloud for cross-border security risk management and finding a balance between the risks and advantages of using the cloud.
Full Story

PRIVACY LAW—CANADA

Opinion: “Lawful Access” Legislation Is Surveillance (October 31, 2011)

In a National Post op-ed, Ontario Information and Privacy Commissioner Ann Cavoukian contends that the re-introduction of three federal lawful access bills, C-50, C-51 and C-52, would create "a system of expanded surveillance," adding, "I have no doubt that, collectively, the legislation will substantially diminish the privacy rights of Ontarians and Canadians as a whole." She warns that Canadians "must be extremely careful not to allow the admitted investigative needs of police forces to interfere with or violate our constitutional right to be secure from unreasonable state surveillance." Cavoukian urges the government to redraft the bills. "The government needs to step back and consider all of these implications." 
Full Story

DATA PROTECTION

Browser Found To Have Privacy Flaw (October 31, 2011)

Recent versions of a third-party Web browser reportedly have been found to have a privacy flaw, reports Ars Technica. The Android Police blog has reported that a breach of privacy occurs when every URL loaded in Dolphin HD is relayed as plain text to a remote server, the report states. Dolphin HD has released a statement explaining that when the URL is relayed, data is not collected or retained and says it has updated the browser to disable the feature and that it will be opt-in in the future.
Full Story

PRIVACY LAW—CANADA

Toews Unmoved by Letter (October 28, 2011)

Postmedia News reports that Public Safety Minister Vic Toews is unmoved by the federal privacy commissioner's urgings to consider the effect potential lawful access legislation would have on the privacy rights of Canadians. In a public letter to Toews this week, Commissioner Jennifer Stoddart outlined several concerns about the legislation, saying that "Read together, the provisions of the lawful access bills from the last session of Parliament (C-50, C-51 and C-52) would have had a significant impact on our privacy rights." Stoddart added that "the government has not convincingly demonstrated that there are no less privacy-invasive alternatives available to achieve its stated purpose."     
Full Story

EMPLOYEE PRIVACY

Drivers’ Union Investigating Covert Cameras (October 28, 2011)

After discovering hidden cameras inside approximately 14 metro buses, Vancouver bus drivers and the Canadian Auto Workers Union 111 are seeking legal advice as to whether Coast Mountain Bus Company breached the drivers' privacy, the Vancouver Sun reports. Cameras were originally installed to provide security and protection for drivers, but the second "hidden" lens was reportedly never disclosed. A union representative said, "The greatest damage that has been done is to the employees in terms of mistrust...It's not a good feeling to find out the company installed secret cameras." The company has said the cameras were supposed to have been removed and has apologized to its 3,500 drivers.
Full Story

INFORMATION ACCESS

FOI, Gun Registry Up For Debate (October 28, 2011)

Presenting arguments before the Newfoundland and Labrador Supreme Court, lawyers attempted to determine what role the information and privacy commissioner has in cases involving access to information requests, The Telegram reports. The case revolves around a media request for a government official's e-mail over a five-day period. The judge said he needs time to decide the case. Meanwhile, British Columbia Information and Privacy Commissioner Elizabeth Denham says she's "deeply troubled" by a reported loophole that allows taxpayer-funded educational institutions the choice of whether to disclose the use of that money to the public. Denham has said the government should amend the Freedom of Information and Protection of Privacy Act to fix the problem. Additionally, Federal Information Commissioner Suzanne Legault says she will review proposed legislation that would destroy gun registry records.
Full Story

EMPLOYEE PRIVACY

Privacy Commissioner Releases Hiring Guidelines (October 28, 2011)

To ensure employers are familiar with British Columbia's Personal Information Protection Act, the province's privacy commissioner has released guidelines for the time when the majority of personal information is transmitted--the hiring process, Kelowna Capital News reports. The guidelines include advice on what to do with unsolicited resumes, employer information requests and reference and background checks. The commissioner also recently published guidelines on conducting background checks via social media websites.
Full Story

PERSONAL PRIVACY

Opinion: Users Lack Control of Personal Data (October 28, 2011)

Noting that "the tools to control our digital privacy and protect valuable personal data are not in our hands," Calgary Herald columnist Lee Rickwood adds that "the idea of designing privacy controls into digital products or online services is at the very least an appropriate consideration." With existing tracking technologies that follow users who are not logged in, "Users should not have to 'go deep' into a computer program or Internet activity log to find out about online tracking tools used by a given site or its third-party partners." Topics such as these were discussed by Alberta Information and Privacy Commissioner Frank Work and British Columbia Privacy Commissioner Elizabeth Denham at a recent conference.
Full Story

ONLINE PRIVACY

Opinion: Web 3.0 Is Underway (October 28, 2011)

In a column for the Toronto Star, John Terauds writes about what the industry is calling Web 3.0, which is "how to best take advantage of the billions of pieces of data about how we live, work, love and shop that are being generated by social media." A representative from the World Wide Web Consortium said, "We're about to see a new arms race between consumer protection versus those companies that want to lure people into something." Terauds opines that as the barriers between marketing and personal life break down, "we and our children leave a trail of electronic breadcrumbs that can be picked up by anyone who has the means to grab and analyze that data on social media sites."
Full Story

SOCIAL NETWORKING

Privacy Concerns Go Global (October 28, 2011)

Human Resource Executive Online reports that just as social media use has become a worldwide phenomenon, "so too has concern over privacy breaches and potential employment-related litigation." The report highlights examples from across the globe--including 99,000 discrimination allegations filed with the U.S. Equal Employment Opportunity Commission last year; the view in many European countries that electronic data is owned by the data subject; varied privacy laws from country to country, and the impact of cultural differences. Despite such differences, the report states, "there are good reasons for parameters, particularly in industries and sectors where personal information breaches could threaten an organization's credibility or survival."
Full Story

BEHAVIORAL TARGETING

Credit Card Companies Look Into OBA (October 26, 2011)
The Wall Street Journal reports on plans by the world's two largest credit card networks to move into the online behavioral advertising business. Though the technology to link purchase transactions with an individual's online profile is still evolving, according to the report, Visa and Mastercard are currently pursuing the idea. The article cites a published Visa patent application that would attempt to incorporate information from DNA data banks into profiles that would target consumers online. Meanwhile, a representative from Mastercard said in an interview in August, "There is a lot of data out there, but there is not a lot of data based on actual purchase transactions...We are taking it a level deeper...it is a much more precise targeting mechanism." (Registration may be required to access this story.)

DATA PROTECTION

Study Delves Into the Stress of the Job (October 26, 2011)

A survey commissioned by data protection company Websense shows that while many IT managers feel their jobs depend on keeping company data secure, 91 percent said new levels of management are engaging in data security conversations. Systems & Networks Security reports the study polled 1,000 IT managers and 1,000 non-IT employees in Canada, Australia, the U.S. and the UK about security threats, and 86 percent of respondents said their job would be at risk if a security incident occurred, while 72 percent called protecting company data more stressful than getting a divorce. Meanwhile, "When asked about real-time protection solutions in place, many respondents listed product and vendor names that don't offer real-time protection at all," said a Websense spokesman.
Full Story

ONLINE PRIVACY

Researcher Says Skypers Are Vulnerable (October 25, 2011)

A researcher from New York University (NYU) will present findings in Berlin next week asserting that Skype may allow strangers access to users' contact details. "If you have Skype running in your laptop, then I or any other attacker can inconspicuously call you, obtain your current IP address and your current location without you ever knowing about it," says NYU's Keith Ross, a professor of computer science. A high school-aged hacker would be capable of such an act, Ross says, adding that the hacker could scale the operation to track thousands of users. Skype's chief information security officer says determining other users' IP addresses is possible with typical Internet communications software, not just Skype's. 
Full Story

SOCIAL NETWORKING

DPC Investigating “Shadow Profiles” and Data Logs (October 24, 2011)

The Irish Data Protection Commissioner (DPC) is investigating complaints against Facebook for its data collection practices. Fox News reports on one allegation that the site encourages members to offer information on nonmembers and uses it to create "extensive profiles." The Wall Street Journal reports that another complaint claims Facebook held information on an Austrian student which appeared to have been deleted from his account. The data included rejected friend requests, untagged photos of the student and logs of all his chats. Facebook denies both claims. A company spokeswoman said "the assertion that Facebook is doing some sort of nefarious profiling is simply wrong," adding that its messaging service works the way "every message service ever invented works." (Registration may be required to access this story.)
Full Story

INFORMATION ACCESS

Commissioner Finds No Wrongdoing, Draws Criticism (October 21, 2011)

Alberta Information and Privacy Commissioner Frank Work announced Tuesday that an investigation into former minister Ted Morton's use of a secondary e-mail address found no evidence of wrongdoing, the Edmonton Journal reports. In a press release, Work said that the use of the secondary e-mail address was not an attempt "to circumvent" the Freedom of Information and Protection of Privacy Act. However, some are criticizing the investigation because Work and his office did not interview Morton directly. Politician Laurie Blakeman said, "I think what we are seeing here is the freedom of information and protection of privacy information legislation in Alberta is, there's no question, slanted toward the government being able to hang onto the information." Work has since said that he didn't see a need to interview Morton.
Full Story

PRIVACY LAW

Opinion: BC Bill Could Threaten Privacy (October 21, 2011)

In a column for the Victoria Times Colonist, Vincent Gogolek opines about a bill before the British Columbia legislature that could "radically increase" the government's "power to collect, use and share" citizens' personal information. Introduced October 4, Bill 3 "eliminates many of the privacy protections in the Freedom of Information and Protection of Privacy Act." Proposed amendments include making it easier for the government to share personal information with "partner" organizations and other governments--such as the U.S. Department of Homeland Security. Gogolek writes that officials are "definitely not talking to British Columbians about how, when, why and with whom the government will be sharing some of our most intimate information."
Full Story

DATA PROTECTION

OPC Launches “Small Business Week” (October 21, 2011)

The Office of the Privacy Commissioner of Canada (OPC) has made this week "Small Business Week" to educate small businesses on data security and privacy protection best practices. The OPC has also created a new section on its website providing small businesses access to online tools to help measure their data protection and security. Additionally, a series of articles will be published to increase awareness of common cybersecurity threats. Privacy Commissioner Jennifer Stoddart said, "Privacy goes hand-in-hand with trust and, for any business, trust goes hand-in-hand with customer loyalty and client confidence."
Full Story

INFORMATION ACCESS

Agencies in Legal Battle with Information Commissioner (October 21, 2011)

Officials on the Commons Access to Information, Privacy and Ethics Committee are looking into a court battle between the Canadian Broadcasting Corporation (CBC) and Information Commissioner Suzanne Legault, the Ottawa Citizen reports. Citing the Access to Information Act, the CBC will not disclose certain information to the commissioner because it relates to journalism. The Federal Court has ruled that Legault can view the documents, but the CBC has appealed the ruling, the report states. MP Dean Del Mastro said, "my concern is that we have a public entity, the CBC, in court against the information commissioner of the House spending millions of dollars fighting each other." 
Full Story

DATA PROTECTION—U.S. & CANADA

Regulators Urge Business Leaders To Limit Data Collection (October 19, 2011)

Speaking at a conference in San Francisco, U.S. and Canadian regulators warned entrepreneurs and business leaders of the dangers of collecting unnecessary data from customers, InformationWeek reports. FTC Bureau of Consumer Affairs Director David Vladek said that businesses should only collect information they need and not retain it longer than is necessary, adding, "It's an albatross that can come back and really bite you." Saying that "privacy is an enabler of innovation" and can provide a competitive advantage, Ontario Information and Privacy Commissioner Ann Cavoukian urged businesses to proactively protect privacy and give consumers control of their data. "Privacy is about control...The individual should control what happens to the information," said Cavoukian.
Full Story

ONLINE PRIVACY

Site Brings New Meaning to “Creepy” Data Use (October 19, 2011)

A new website--used by 300,000 people in its first 24 hours--accesses information from peoples' Facebook accounts to create a personalized horror movie featuring a man browsing through the user's account and "getting increasingly agitated," reports The New York Times. Take This Lollipop's developer, Jason Zada, says creating the site was a fun seasonal project but adds that its popularity may in part be due to peoples' concerns about how their data is being used. "When you see your personal information in an environment where you normally wouldn't, it creates a strong emotional response," Zada said. "It's tied into the fears about privacy and personal info that we have now that we live online." (Registration may be required to access this story.)
Full Story

PERSONAL PRIVACY—CANADA

Coalition Wants Smart Meters Stopped (October 18, 2011)

A citizens' coalition in British Columbia hopes to stop a utility's installation of smart meters in homes across the province, Nanaimo News Bulletin reports. "These BC Hydro smart meters have to go completely," said spokesman Walter McGinnis of the Coalition To Stop Smart Meters. The group wants to stop the mandatory installation of the meters due to privacy, security and other concerns. It plans to launch an appeal under the BC Recall and Initiative Act. BC Hydro Community Relations Manager Ted Olynyk says that meter installations will continue. The utility asserts that the meters use data protection methods similar to those used by banks.
Full Story

PRIVACY LAW

Commissioner: Political Party Breached Act (October 14, 2011)

BC Privacy Commissioner Elizabeth Denham has ruled that the provincial NDP broke the law during its last political race. Last April, the NDP "asked potential candidates to hand over their social media passwords as part of the vetting process," CBC News reports. Most complied with the request; however, one candidate refused, later agreeing to hand over his personal information but not his password. The NDP's actions violated the Privacy Act, Denham says, in its collection of personal information about the candidates and others without their consent. A spokesperson for the NDP said it stopped collecting the password after Denham voiced concerns.
Full Story

DATA LOSS

Cavoukian: Stop Sending Paper Records (October 14, 2011)

Ontario's privacy commissioner has ordered a provincial healthcare provider to stop sending paper records, the Toronto Star reports. The order issued on Thursday follows an investigation into Cancer Care Ontario's loss of personal information on more than 7,000 patients. "Cancer Care Ontario should not have used a courier service to send paper-based records...when other viable, more secure and privacy protective options were available," said Commissioner Ann Cavoukian. The agency's chief privacy officer said, "We accept the recommendations," adding that Cancer Care will be moving to an electronic portal format and will increase staff training, among other steps.
Full Story

ONLINE PRIVACY

Commissioner Shares Insights, Concerns (October 14, 2011)

In an interview with Communitech, Privacy Commissioner Jennifer Stoddart shares insights about online privacy, including the challenges of keeping personal information safe and raising public awareness to potential threats. When asked about key concerns, Stoddart focused on two issues. The first is the need for a paradigm shift so that companies, as she put it, "Innovate for privacy, and if you don't, either in terms of reputational harm or in terms of monetary penalties, it won't be worth your while." Secondly, she said, is the issue of data security, adding that amid many recent reports of breaches, "I think we really have to look at rejigging the incentive system."
Full Story

INFORMATION ACCESS

Police Refuse Record Disclosure (October 14, 2011)

York Regional Police are refusing to release reports on lost or stolen weapons, citing privacy concerns about involved officers' personal information. The force's freedom of information officer says releasing the names of officers who lost weapons or the circumstances in which the weapons were lost can't be released without consent from the officers involved. The Toronto Star requested the data as part of an investigation into lost or stolen weapons in the area. A University of Ottawa professor specializing in access to information and privacy says there is no reason the information should be considered private.      
Full Story

DATA LOSS

Company Suspends 93,000 Online Accounts (October 12, 2011)

Sony announced that it has locked 93,000 online network user accounts because of an unusual amount of sign-in attempts from an unauthorized user, AFP reports. The suspicious activity reportedly took place between October 7 and 10 and verified user IDs and passwords. The company said that the incidents "appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or sources," and "only a small fraction of the 93,000 accounts showed additional activity prior to being locked." Sony is continuing an investigation into the breaches and has notified affected users.
Full Story

FINANCIAL PRIVACY

U.S. Crackdown on Offshore Accounts Raises Concerns (October 7, 2011)

Foreign financial institutions will need to start identifying their American accountholders as part of the U.S. Foreign Account Tax Compliance Act in 2014 (FATCA), and Privacy Commissioner Jennifer Stoddart has warned it could "run afoul" of Canada's privacy laws, The Globe and Mail reports. Referencing a "little-noticed provision" pertaining to derivatives contracts, the report states that FATCA will "require that foreign financial institutions ensure all transactions dated after March 18, 2012, comply with the new rules," and, "Without changes, Americans living in Canada could eventually be denied service by Canadian financial institutions if they balk at providing their U.S. Social Security number or taxpayer ID number, as demanded by the IRS." 
Full Story

INFORMATION ACCESS

Commissioner To Investigate Secondary E-mails (October 7, 2011)

Alberta Information and Privacy Commissioner Frank Work has announced that his office will investigate the use of secondary e-mail accounts by cabinet ministers and revisit the rules and policies that apply to such usage, CBC News reports. Work will release a report once the investigation is complete. According to a news release from Work's office, the investigation is not "an offence or breach investigation...Rather, the commissioner wishes to establish clear guidelines respecting the treatment of ministerial e-mails under the Freedom of Information and Protection of Privacy Act." 
Full Story
 

ONLINE PRIVACY

Gov’t Launches Cybersecurity Awareness Initiative (October 7, 2011)

Citing the myriad threats to online privacy, the federal government has started a public awareness campaign to inform citizens about cybersecurity, The Vancouver Sun reports. The government's initiative--Get Cyber Safe--was introduced by Public Safety Minister Vic Toews and features a website informing individuals about ways to protect their online identity. The campaign also includes calls to government authorities--from provincial to international--to share cybersecurity responsibilities as well as to the private sector to improve online data protection. Toews said, "Our increasing reliance on cyber technologies makes us more vulnerable to those who would attack our digital infrastructure to undermine our national security, economic prosperity and quality of life."
Full Story

PRIVACY LAW

Opinion: Quebec Needs Data Protection Amendment (October 7, 2011)

In the Montreal Gazette, Éloïse Gratton writes that the federal government's reintroduction of amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) includes a business transaction exemption, which--if passed--would put the legislation in line with British Columbia's and Alberta's data protection laws. Gratton notes that if the proposed amendments in Bill C-12 are made into law, then "Quebec will be the only jurisdiction with a data protection law not providing for a business transaction exemption," adding that organizations within Quebec's jurisdiction "will continue to proceed without clear knowledge of the risks involved" in a business transaction that discloses personal information.
Full Story

SOCIAL NETWORKING

Opinion: “Small Changes” Have Big Privacy Impact (October 7, 2011)

In his column for The Globe and Mail, Ivor Tossell writes that while major changes to the world's largest social network "make big headlines...it's the small changes we really need to worry about." Facebook recently rolled out "a tiny change, so small as to seem completely unworthy of note" that makes it more difficult for users to untag themselves from photos, he writes, suggesting, "The tiniest details of design have a huge effect on the way people use technology." Making the process more cumbersome has "tilted the playing field" away from privacy, he writes, and "from all the photos, events, tags and comments, Facebook can piece together a remarkable picture of what you've done where, when and with whom."      
Full Story

PERSONAL PRIVACY

Cavoukian: Web Users Must Have Freedom To Choose Privacy (October 7, 2011)

In a letter to the editor in The Wall Street Journal, Ontario Information and Privacy Commissioner Ann Cavoukian writes that reviewers of a new book by Jeff Jarvis, Public Parts: How Sharing in the Digital Age Improves the Way We Work and Live, have been "seduced by the virtues of 'publicness'" and "generally fail to give appropriate weight to his contrasting observations about the importance of retaining control over one's personal information." Cavoukian writes, "The decision whether or not to share--indeed, the very ability to control that which is shared--must lie with the individual." (Registration may be required to access this story.)
Full Story

PERSONAL PRIVACY

Opinion: iPhone Technology To Change Lives (October 7, 2011)

New iPhone plans will bring highly sophisticated facial recognition technology to millions of users, reports Kit Eaton for Fast Company. The technology will allow for automatic identification of photo subjects, authorization of online payments and potentially perform lip reading. But Eaton wonders if iPhone manufacturer Apple will also use the technologies for advertising efforts. "The ubiquitous use of face IDs and deep integration of social networking into iOS 5 will be bound to cause hand-wringing about the erosion of personal privacy," Eaton writes.  
Full Story

FINANCIAL PRIVACY

Expert: Many Complacent on PCI DSS Compliance (October 6, 2011)

In an interview with BankInfoSecurity.com, Verizon PCI Consulting Services Director Jen Mack says that many organizations are still struggling with the Payment Card Industry Data Security Standard (PCI DSS). In its PCI Compliance Report, Verizon disclosed results of a study of 100 organizations--ranging from Fortune 500s to small businesses--showing that many are complacent about security. "Many take the approach that it's a compliance project versus trying to achieve what I think can be an optimal security posture for the long-term health of the business," says Mack. She also discusses how organizations maintain compliance; why many are complacent with security, and why cardholder data breaches should be a concern for the industry.
Full Story

PRIVACY

Pro Bono Privacy Initiative Brings Expertise to Nonprofits (October 6, 2011)

Amidst a growing need among nonprofits for expertise in the protection of personal information, privacy professionals have come together to form the Pro Bono Privacy Initiative, which is now in its pilot phase. In this Daily Dashboard exclusive, pilot volunteers--who hail from such well-known firms and companies as Baker & McKenzie, Hogan Lovells, Hunton & Williams, Deloitte, Intuit, Verizon and IBM--discuss their hope for this new program. As IBM VP Security Counsel and Chief Privacy Officer Harriet Pearson, CIPP, puts it, "The true sign of a mature profession is when people step back and give back."   
Full Story

PRIVACY LAW—CANADA

BC Legislation Proposes Sweeping Changes (October 5, 2011)

Lawmakers in British Columbia have proposed legislation that would make "significant changes" to its Freedom of Information and Protection of Privacy Act, The Victoria Times Colonist reports. The proposed changes would allow the province to issue CareCard-driver's licenses with a microchip giving citizens access to government services such as electronic health records, voting and school registrations, according to the report. The legislation also includes an opt-out for citizens. One critic warned, "The whole idea of consenting to government services in exchange for your privacy is absurd on its face," while British Columbia Privacy Commissioner Elizabeth Denham said, "This is a step in the right direction, but I think there's still a lot of work to do."
Full Story

DATA PROTECTION

Experts Offer Advice on Legacy IT Systems (October 5, 2011)

Though businesses rolling out new IT systems or collecting new data on their customers are increasingly privacy-conscious, the same is not true for legacy systems, reports Computerworld Canada. Experts including Ontario Privacy Commissioner Ann Cavoukian and Sagi Leizerov, CIPP, of Ernst & Young, offer advice on how to address the most pressing issues when it comes to such systems, including advising IT staff that more is not better when it comes to data collection, taking stock of "which systems your sensitive information is passing though...evaluating and improving upon the password policy settings in custom apps" and looking at any "unrestricted mass data storages and share folders."
Full Story

PRIVACY LAW

Court: U.S. ECPA Covers Noncitizens (October 4, 2011)
A federal court has ruled that individuals who are not citizens of the U.S. are covered under the protections provided by the Electronic Communications Privacy Act (ECPA), Courthouse News reports. An Indian-based company wants Microsoft to disclose the e-mails of an individual accused of fraud in Australia, but the 9th Circuit Court has ruled that the defendant's e-mail account is protected under ECPA. One judge wrote that "this case ultimately turns on the plain language of the relevant statute" and the "plain language" is the term "any person." Meanwhile, the U.S. Supreme Court will not review a California Supreme Court case that upheld law enforcement's right to search suspects' cell phones without a warrant. Editor's note: The IAPP will host the Web conference How to Craft Plain Language Privacy Notices on Thursday at 1 p.m. ET.

ONLINE PRIVACY

New Browser Raises Privacy Concerns (September 30, 2011)

Computerworld reports on Amazon's new Silk browser and the concerns raised by privacy advocates. The browser will connect to a cloud service owned by the company, thereby speeding up browsing capabilities, and, according to the company, a secure connection will be established "from the cloud to the site owner on your behalf for page requests of sites using SSL." A representative from the Center for Democracy & Technology said, "This makes Amazon your ISP...I don't think it's at all clear that Amazon can step into that," but he added it was a "great move" for the company to offer an opt-out to customers. The Electronic Frontier Foundation commented that "there are some worrisome privacy issues" in general around use of browsing history.
Full Story

PRIVACY LAW

Gov’t Reintroduces PIPEDA Amendments (September 30, 2011)

Minister of Industry Christian Paradis has reintroduced amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) in the House of Commons, Storage and Destruction Business reports. The bill's amendments would require organizations to report "material breaches of personal information" directly to the Privacy Commissioner of Canada; notify individuals of when their information is compromised, and streamline rules for companies, among others. Paradis said, "Canada already has a solid legislative framework in place to ensure the protection of personal information...these amendments are based on extensive consultations and will help us maintain a balanced and practical approach to privacy law." 
Full Story

DATA LOSS

Lost Memory Stick Contained PHI of 1,500 (September 30, 2011)

The personal information of approximately 1,500 patients at a hospital in St. John has gone missing, the Telegraph-Journal reports. The USB storage device, which was used as a main system backup, contained patient information, including Medicare numbers. After an in-depth search for the missing device, the hospital's chief privacy officer (CPO) said that they believed the item had been misplaced. Affected patients were notified of the incident. In addition to contacting New Brunswick's access to information and privacy commissioner, the CPO said the hospital is developing "a policy that gives direction to staff about storage of electronic personal health information."     
Full Story

SURVEILLANCE

Advocates: Law Would “Open Window” Into Private Lives (September 30, 2011)

Expectations that "so-called lawful access legislation" introduced in 2009 could soon be reintroduced is raising privacy concerns, The Vancouver Sun reports. The proposal was based on concerns regarding criminals' use of mobile phones and the Internet, but the report cites fears that if the legislation is reintroduced, "the new rules would open a new window into our private lives that police would be able to peer through without a warrant." BC Information and Privacy Commissioner Elizabeth Denham has cautioned, "If you are setting up private sector in a way that will provide easier access to the police, that's shifting our fundamental outlook about privacy and civil rights protections of constitutional rights."
Full Story

DATA LOSS

Health Records Found on Street (September 30, 2011)

A media outlet in Calgary was given medical records that were found on the street, iNews880 reports. The records contain names, birth dates and surgical procedures. Alberta's information and privacy commissioner is currently investigating the incident. A spokesperson for the commissioner said, "There's a lot of very personal information in those files."
Full Story

CHILDREN’S PRIVACY

OPC Launches Contest on Privacy Issues (September 30, 2011)

The Office of the Privacy Commissioner has announced that it will host the fourth annual My Privacy & Me National Video Contest to help educate children aged 12 to 18 on privacy issues surrounding common online activities, Digital Journal reports. Students are invited to submit video public service announcements associated with social networking, mobile devices, online gaming or cybersecurity. Privacy Commissioner Jennifer Stoddart said, "Young Canadians are in constant contact with others...They're talking, texting, trading images and playing online games. Does this mean they don't care about privacy? We think they do--and we want to help them to show us how."
Full Story
 

SOCIAL NETWORKING

Site Introduces New Privacy Features (September 30, 2011)

Music streaming site Spotify has introduced new privacy features in the wake of complaints about its integration with the world's largest social network, the Financial Times reports. The music service had "quietly introduced the requirement that all new users sign up with a Facebook account rather than the usual e-mail" and "defaulted to sharing all a user's listening habits," the report states. While users could choose to opt out of sharing their music tastes through Facebook, in response to "hundreds of complaints," Spotify's CEO has announced a new "private listening" mode, noting, "we value feedback and will make changes based on it." (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

DPC Opens Investigation; Data Use Concerns Persist (September 29, 2011)

Following an advocacy group's logging of more than 20 complaints, Ireland's Data Protection Commission "will examine all of Facebook's activities outside the U.S. and Canada" with a goal of publishing its findings by the end of the year, siliconrepublic reports. Meanwhile, the Financial Times highlights privacy advocates' concerns that the social network is not adequately informing users of the potential for information "it will collect from new entertainment and media applications" to be used in advertising. One advocate said, "If the ad were to publish facts about you without your knowledge...it would cross into extremely creepy territory," while Facebook stressed its features "only work if people explicitly opt in to them."
Full Story

FINANCIAL PRIVACY

Firms Scrambling Ahead of PCI DSS Audits (September 29, 2011)

Firms are struggling to maintain compliance with PCI DSS standards, SearchSecurity.com reports. That's based on the "2011 Verizon Payment Card Industry Compliance Report," which looked at more than 100 PCI DSS assessments conducted by Verizon's PCI Qualified Security Assessors in 2010, based on compliance with 12 PCI DSS standards. The report found 21 percent of organizations were fully compliant, and when compliance is achieved, it's not maintained through the next assessment period. Organizations are meeting about 80 percent of requirements, a Verizon spokesman said, adding, "We're seeing lots of scrambling to get things in order for the assessor, and that's not the intent of PCI DSS at all."
Full Story

SOCIAL NETWORKING

Technologist Says Site Fixed Cookie Problem (September 28, 2011)

ZDNet reports that Facebook has denied technologist Nik Cubrilovic's claim that the social networking site tracks users even after they have logged out. Cubrilovic, whose claims incited concerns among privacy advocates this week, says Facebook has since made changes to the logout process, alleviating privacy concerns. He has detailed the functions of what he says are the site's five persistent cookies, including the user ID, which he says is now destroyed when a user logs out. The rest of the cookies, Cubrilovic says, are not concerning and users "shouldn't worry about them."
Full Story

SOCIAL NETWORKING

Site’s Redesign Ignites Concerns (September 27, 2011)

Facebook's planned redesign has some users and privacy advocates concerned, The Washington Post reports. The redesign will integrate third-party apps into a user's profile page and update user activity on those apps automatically, meaning "users will have to think more carefully about what apps they use, since their private media consumption, exercise routines and other habits could be automatically published on their profiles," the report states. Pam Dixon of the World Privacy Forum said consumers have voiced that they don't understand the new, more granular privacy controls. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Opinion: Search Engines Need Discretion (September 27, 2011)

In a column for The New York Times, Noam Cohen analyzes the "predicament" surrounding the loss of control of one's online identity through search engine algorithms. One such case involves a U.S. presidential candidate whose lost online identity "stands as a chilling example of what it means to be at the mercy" of a search engine algorithm. A search engine company says that "search results are a reflection of the content and information that is available on the Web," but Cohen writes that the issue should be directed at the companies, not the algorithms, "especially when it comes to hurting living, breathing people." (Registration may be required to access this story.)
Full Story

PRIVACY

Report Spotlights “New World of Corporate Privacy” (September 26, 2011)
The Wall Street Journal explores the value of privacy impact assessments to avoid "running into regulatory fire in the complicated landscape of privacy law" across jurisdictions, pointing out that a "growing cadre of professionals is being hired to manage companies' privacy risk." The report spotlights the work of the IAPP; includes insights from several IAPP members from leading companies including GE, IBM, Apple and Hewlett-Packard, and quotes IAPP President and CEO J. Trevor Hughes, CIPP, who explains that when it comes to the work of privacy professionals, "Early on it was all about compliance. Today, there is as much business-management focus as there is law and compliance." (Registration may be required to access this story.)

DATA PROTECTION

New Technologies and Tips for Protecting Data (September 26, 2011)

The frequency and scale of recent data breaches is causing many companies to reevaluate their data protection mechanisms and question what to do in the event of a cyberattack. The Wall Street Journal reports on new methods of system security that go beyond the password, such as two-factor authentication and machine fingerprinting. While not perfect, one expert equates the additional security to "putting speed bumps in front of the bad guys." In a separate report, the WSJ outlines a list of steps to take if your organization has been hacked, including preemptive training and planning; when to call in the experts and authorities, and tips on notifying customers. (Registration may be required to access this story.)
Full Story

PERSONAL PRIVACY

Complaint Lodged Against Liberal Party (September 23, 2011)

A woman has lodged a complaint with the Prince Edward Island (PEI) privacy commissioner after e-mails she sent to a cabinet minister were released to the media by the Liberal Party, reports CTV.ca. The woman claims she thought the two e-mails--in which she alleges corruption in the immigration nominee program--would be kept confidential, but the Liberal Party denies any reasonable expectation of privacy. PEI Privacy Commissioner Maria MacDonald said, after initial examination, she doesn't see any relevant exemptions in the law allowing for the release of the e-mails, but the Liberal Party is not a public agency and therefore not covered by the privacy law. MacDonald will not confirm whether her office is investigating the complaint. 
Full Story

CHILDREN’S PRIVACY

Commissioner Urges Teenagers To Protect Privacy (September 23, 2011)

Privacy Commissioner Jennifer Stoddart is encouraging teenagers to consider the consequences before posting personal data online so that they can "take advantage of all of the benefits that the online world has to offer--without having any regrets later." Stoddart has released "Protecting Your Online Rep" to help educate high school students about how to protect their privacy and is planning to release similar packages for younger students later this year, The Toronto Star reports. "Think twice about every piece of information before you post it on the Internet," Stoddart said, "because once it's up there it can be impossible to take down."
Full Story

PRIVACY LAW

Commissioner Releases Lawyer Guidance (September 23, 2011)

The Office of the Privacy Commissioner (OPC) has created a handbook for lawyers explaining how the Personal Information Protection and Electronic Documents Act applies to law practice in the private sector. "While lawyers may be familiar with privacy laws in general, they may benefit from some concrete guidance on how to apply the laws to their own practice," said the OPC's general counsel, adding, "Canadian lawyers have a leadership opportunity to serve as exemplars of ethical and respectful conduct on behalf of their profession and the clients they serve."
Full Story

DATA PROTECTION

Ontario Commissioner Releases Whitepaper (September 23, 2011)

Ontario's Information and Privacy Commissioner has released a whitepaper for regulators, decision-makers and policy-makers. "Privacy by Design in Law, Policy and Practice" aims to "help support the wide implementation of the principles of Privacy by Design," the paper states. It encourages companies to "go beyond mere legal compliance with notice, choice, access, security and enforcement requirements" and, instead, design their own approaches to risk management within regulatory frameworks.
Full Story

SOCIAL NETWORKING

Facebook and Netflix Pair Up (September 23, 2011)

At Facebook's f8 conference yesterday, Netflix announced that it will integrate its video streaming services with Facebook, allowing users to watch videos--and see what their friends are watching--on Facebook. The service will be available in 44 countries, not including the U.S., where the Video Privacy Protection Act (VPPA) prevents the disclosure of video sales and rentals, reports The Washington Post. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—CANADA

No Online Monitoring in Crime Bill (September 22, 2011)

Prime Minister Stephen Harper's crime bill was revealed on Tuesday without a provision to allow for increased access to individuals' online activities, pleasing opponents of "lawful access," reports PostMedia News. "I take this as a positive, that even if Prime Minister Stephen Harper is going to reintroduce this, he'll allow Canadians to debate it," said one lawful access opponent. Canada's federal and provincial privacy commissioners expressed their concerns with the proposal in a letter earlier this year, saying it would "significantly diminish" Canadians' privacy. Government officials are stressing that more anti-crime legislation is on the way, and authorities need "21st century tools" to fight online criminals.     
Full Story

HEALTHCARE PRIVACY

Survey: Industry Lacks Data Security (September 22, 2011)

A survey of the healthcare industry reveals that less than half the companies surveyed are bolstering privacy and security measures to keep up with the growing use of digital technology, Reuters reports. Of the 600 executives interviewed by PricewaterhouseCoopers' Health Research Institute, nearly 74 percent are planning to expand the use of electronic health records, but only 47 percent are addressing related privacy and security implications. One of the report's contributors, Jim Koenig, CIPP, said, "health IT and new uses of health information are changing quickly and the privacy and security sometimes may not be moving in step...That is some of the most sensitive and important information to a consumer, so with the advancement of healthcare IT, it's only natural that advancements in privacy and security should come along."  
Full Story

ONLINE PRIVACY

Researcher: Smartphone IDs Not Secure (September 19, 2011)

The Wall Street Journal reports on the use of smartphones' unique ID numbers as a way for criminals to access users' social networks. While the IDs do not contain user information in and of themselves, the report notes that "app developers and mobile ad networks often use them to keep track of user accounts, sometimes storing them along with more sensitive information like name, location, e-mail address or social-networking data," effectively using the IDs as what researcher Aldo Cortesi describes as a not-too-secure key to that information. "Mobile security is not limited to a singular app or games overall--it's an issue that the entire mobile ecosystem needs to address," Cortesi said. (Registration may be required to access this story.)
Full Story

PRIVACY LAW

Report Challenges Border Plan (September 16, 2011)

Prime Minister Stephen Harper and U.S. President Barack Obama are expected to announce the details of the "Beyond the Border" perimeter security pact in the coming weeks, reports Postmedia News. The U.S. ambassador to Canada says the plan will enhance security for both countries and "make the lives of people and businesses who need to go back and forth across the border...more efficient." But a recent report echoes privacy advocates' concerns over cross-border data sharing and says the deal may contravene the Data Protection Law. In his report, "Shared Vision or Myopia: The Politics of Perimeter Security and Economic Competitiveness," Gar Pardy says the deal represents an "integration of security matters" and recommends the privacy commissioner review and monitor all information-sharing agreements.
Full Story

SURVEILLANCE

Advocates, Politicians Vocal Against “Lawful Access” (September 16, 2011)

An open Internet advocacy group has launched a campaign against proposed legislation that would give authorities more power to conduct Web surveillance and intercept communications. The Vancouver Sun reports that OpenMedia's campaign has received the support of the federal Green Party, and the federal New Democrats have also voiced objections to the proposed legislation. OpenMedia posted online video advertisements showing how it believes the legislation would invade citizens' privacy and has circulated a petition signed by about 65,000 people. The Canadian privacy commissioner recently released a survey showing that eight of 10 Canadians did not feel authorities "should be able to request information from telecommunications companies about Canadians and their Internet usage without a warrant from the courts."
Full Story

TRAVELLERS’ PRIVACY

ePassports Feature Facial Recognition Technology (September 16, 2011)

Canada will roll out its ePassports by the end of 2012, featuring enhanced digital security measures such as facial recognition technology. The new documents will include an electronic chip encoded with the individual's name, sex, date and place of birth, as well as a digital image, The Vancouver Sun reports. Some experts say the new passports' enhanced features are not justified. "There hasn't been any debate if it's a good thing or not," says Andrew Clement of the Information Policy Research Program at the University of Toronto, adding that the facial recognition technology could be used to screen images in watch lists. "It's concerning that our everyday activity is surveyed," he said.
Full Story
 

PRIVACY LAW

Commissioner Approves Gov’t Investigation (September 16, 2011)

British Columbia's privacy commissioner has approved a government internal review of a security breach incident that occurred in 2009, The Vancouver Sun reports. An employee from the Ministry of Housing and Social Development in the Lower Mainland, who has since resigned, allegedly e-mailed sensitive information about government clients to a U.S. Department of Homeland Security border guard, the report states. After monitoring the government investigation, the privacy commissioner issued a closing report on February 18. A spokeswoman for the commissioner said, "The investigator was satisfied that the government had taken the appropriate steps in responding to this breach, including developing adequate prevention strategies."
Full Story

INFORMATION ACCESS

Hospital To Release Data Thief’s Identity (September 16, 2011)

The North Bay Regional Health Centre announced that it will reveal the name of the nurse who breached the data of more than 5,800 of its patients--but only to those patients, reports the North Bay Nugget. The hospital was waiting for official notice from the Office of the Ontario Information and Privacy Commissioner on the privacy laws surrounding the release. After reading a letter submitted to the North Bay Nugget by Commissioner Ann Cavoukian stating, "Privacy considerations do not prevent the identity of the staff member responsible for the breach being disclosed to the affected individuals," the hospital decided to make the name known to victims who request it. Marc Buchard, the hospital's chief privacy officer, said those who want the nurse's name may contact him.
Full Story

CHILDREN’S PRIVACY

OPC Releases Online Tool (September 16, 2011)

The Office of the Privacy Commissioner (OPC) has created a tool to help teachers and others communicate to children about ways "technology can affect their privacy and to show them how to build a secure online identity and keep their personal information safe," says the OPC release. The package--aimed at students in grades nine through 12--includes a presentation with detailed notes and ideas for class discussions.
Full Story

DATA PROTECTION

Top Security Threats for Small Businesses (September 16, 2011)

The Globe and Mail reports on the 10 most overlooked security threats for small businesses. Informatica Corporation Chief Security Officer Claudiu Popa, CIPP, says top threats include malware infections leading to data loss, malicious breaches, hijacked domain names, insider threats, breaches caused by infected devices, data breaches and theft. When it comes to breaches as a result of insufficient security, the problem is that lost data "cannot verifiably be recovered with the damage undone. Once copied or transferred, those actions can't be undone," Popa writes, suggesting that firms take action to properly encrypt data at all steps of the information lifecycle.
Full Story

PRIVACY

Opinion: Digital Policies Absent in Political Debates (September 16, 2011)

Last week saw the beginnings of Ontario's election campaign, and Liberals, Progressive Conservatives and the NDP were promoting their policies, but according to Ottawa Citizen columnist Michael Geist, notably absent were digital policy plans. While the federal government generally takes the lead on digital policy, provinces are often the keepers of consumer protection and civil rights legislation, he notes. "With privacy reform stalled at the federal level, there is an important role to play for provincial governments, yet the issue is not discussed by any of the three provincial parties. Several Canadian provinces including Alberta, British Columbia and Quebec have enacted broad-based privacy legislation. Ontario has not, raising the question of where the parties stand," he writes.
Full Story

PRIVACY

Jennifer Barrett Glasgow Receives 2011 Privacy Vanguard Award (September 16, 2011)
Jennifer Barrett Glasgow, CIPP, Acxiom Corporation Executive for Global Public Policy and Privacy, received the 2011 IAPP Privacy Vanguard Award at the annual Privacy Dinner last night in Dallas, TX. Presenting the award, past IAPP Board Chairman and GE Chief Privacy Leader Nuala O'Connor Kelly, CIPP, CIPP/G, described Barrett Glasgow as an educator, advocate and "model of courage, of poise and grace." Also recognized at the dinner were the winners of the 2011 HP-IAPP Innovation Awards--Warner Bros. Entertainment, Inc., Ontario Telemedicine Network and Heartland Payment Systems. Texas Comptroller Susan Combs delivered the evening's keynote address on how agencies, businesses and organizations can learn from a data breach, make proactive data protection choices and improve for the future.

ONLINE PRIVACY

Google Offers Location Service Opt-Out (September 14, 2011)

The New York Times reports Google will provide an option for residential WiFi routers to be removed from a registry the company uses to locate cell towers. The change comes in the wake of warnings by EU data protection regulators that "unauthorized use of data sent by WiFi routers, which can broadcast the names, locations and identities of cell phones within their range, violated European law," the report states. Google Global Privacy Counsel Peter Fleischer noted the opt-out comes at the request of several European data protection authorities and "will allow an access point owner to opt out from Google's location services." The opt-out will be available internationally, the report states. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—CANADA

Damages Awarded Under PIPEDA (September 14, 2011)

A Canadian bank must pay monetary damages to a client after one of its employees disclosed the client's account information, reports Employment Law Today. An attorney representing Nicole Landry's husband in their divorce case subpoenaed a Royal Bank of Canada (RBC) employee to deliver Landry's bank account information to court. The employee also faxed Landry's information to the attorney without her consent, which violates RBC policies and the Personal Information Protection and Electronic Documents Act (PIPEDA). Landry claimed personal harm and humiliation--for which PIPEDA allows monetary damages--and was awarded $4,500. This is the second time damages have been awarded in PIPEDA's 10-year history.
Full Story

SOCIAL NETWORKING

Facebook Tests “Smart Lists” Feature (September 13, 2011)

Facebook has been testing a new privacy feature with a select number of users, reports Mobiledia. Smart Lists allows users to group their friends in categories and customize news feeds to deliver content to certain lists. The report states that the feature may be Facebook's response to Google+, which uses its "Circles" feature to categorize groups of people. Facebook has not officially announced the feature or when it will be released to all users.
Full Story

PRIVACY

Mexican DPA Discusses Data Protection, International Conference (September 12, 2011)
For the first time in its 33-year history, the International Conference of Data Protection and Privacy Commissioners (ICDPPC) will be held in Latin America, hosted this year by Mexico's Federal Institute for Access to Information and Data Protection (IFAI). In this Daily Dashboard exclusive, IFAI President Commissioner Jacqueline Peschard discusses the highlights of the upcoming 2011 conference, entitled "PRIVACY: The Global Age," as well as the work of the IFAI and the international data protection landscape. As Peschard puts it, in a time when data is not hemmed in by geographic boundaries, DPAs must work together across borders, which is one of the key aims of ICDPPC.

BEHAVIORAL TARGETING

W3C Announces Tracking Protection Working Group (September 12, 2011)

The World Wide Web Consortium (W3C) recently announced its Tracking Protection Working Group, established to create a "set of standards that enables individuals to express their preferences and choices about online tracking and enables transparency concerning online tracking activities," the group said on its blog. The Register reports that one of the first hurdles the group may face is getting all the stakeholders to agree on the standards. "A critical element of the group's success will be broad-based participation," W3C said, adding that do-not-track efforts by Microsoft and Mozilla will act as the basis for the group's work. Aleecia McDonald, senior privacy researcher at Mozilla, and another unidentified industry leader will co-chair the group. 
Full Story

PERSONAL PRIVACY—U.S. & CANADA

9/11’s Effect on Societal Norms (September 12, 2011)

American Public Media's "Marketplace" explores how the convergence of the government's post-9/11 intensified security efforts and Internet giants' remake of the online environment created a "data collection revolution." Researchers and an industry executive weigh in on ways that government investments in surveillance technology--such as facial recognition--have made possible online features and applications that, according to Alessandro Acquisti of Carnegie Mellon University, are "bringing us closer to a world where online and offline data merge. The consequences can be cool but also very creepy." Meanwhile, British Columbia Privacy Commissioner Elizabeth Denham questions whether the "progression of security measures," and subsequent loss of privacy, "has been effective or proportionate to the threat." Editor's Note: For more on the implications of Sept. 11 on privacy, read the Daily Dashboard exclusive, "An Unexpected Sept. 11 Legacy: Privacy and Civil Liberties Oversight Board Remains Dormant," and "How 9/11 Changed Privacy," from this month's Privacy Advisor.
Full Story

TRAVELLERS’ PRIVACY

Border Security Plans Raise Privacy Concerns (September 9, 2011)

Ten years after the September 11 attacks, many Canadians are finding travel into the U.S. more difficult as restrictions imposed by U.S. authorities increase, the Winnipeg Free Press reports. Border security could intensify as both countries enact a perimeter security pact with the purpose of improving travel security within North America. Privacy Commissioner Jennifer Stoddart expressed concern about the move "towards an American-style model of collecting personal information" because "tidbits of our lives from everywhere would be increasingly pulled together in accordance with an American model rather than a Canadian model, which tends to segregate the information for privacy purposes and share only on a 'needs-to-know' basis." The U.S. Ambassador to Canada said that more transparency about the talks could help assuage concerns.
Full Story

TRAVELLERS’ PRIVACY

Stoddart Offers Conditions for Perimeter Agreement (September 9, 2011)

In The Huffington Post Canada, Privacy Commissioner Jennifer Stoddart discusses the emerging Canada-U.S. perimeter agreement and the need to incorporate a respect for privacy. "As the pursuit of greater security continues, it doesn't have to come at privacy's expense," Stoddart writes, noting that she takes comfort in a recent comment by Foreign Affairs Minister John Baird that a respect for "the legal and privacy rights of Canadians" is essential to the process. "Given my role, I want to see those words ring true," says Stoddart, going on to offer three "essential conditions that any future agreement should meet in order to truly and properly 'promote' and 'respect' our privacy rights."     
Full Story

INFORMATION ACCESS

Work Investigating Candidate’s Document Shredding (September 9, 2011)

Information and Privacy Commissioner Frank Work has launched an investigation into allegations that an Alberta politician destroyed records before leaving office, The Vancouver Sun reports. Work launched the investigation after leaked documents indicated that Conservative leadership candidate Ted Morton's staff deleted e-mails and shredded documents before Morton left his position as minister of finance and sustainable resource development, allegations a Work spokesman calls "serious," adding that Work is concerned others may be doing the same thing. It is not yet clear whether the destroyed documents would have been subject to the Freedom of Information and Protection of Privacy Act. 
Full Story

PERSONAL PRIVACY

Opinion: Get Smart About Mobile Privacy (September 9, 2011)

The Windsor Star reports on the recently released survey results showing that only four out of 10 Canadians use password locks or change privacy settings to protect their privacy when using mobile phones, while nearly 70 percent "insisted" their mobile phones did not contain personal information. Privacy Commissioner Jennifer Stoddart said, "Mobile phones increasingly hold a lot of personal information, but it doesn't seem like Canadians think they do." The report warns that "Canadians need to wise up" because "smartphones will get people in trouble if they're not smart enough to use them judiciously." The report also revealed how different generations manage mobile phone privacy.   
Full Story

CHILDREN’S PRIVACY

Experts: Kids Unaware of Internet Threats (September 8, 2011)

USA Today reports on the likelihood that social networks and mobile apps could violate the privacy of the children and teens who use them. From a recent settlement of a Children's Online Privacy and Protection Act violation in the U.S. to calls by the UK's data protection authority for children to know their rights regarding online privacy, experts are calling for more education for youth who "exchange their personal data to Web services without knowing the possible consequences." Meanwhile, WBAL-TV 11 News reports on parents in one U.S. state who are questioning why they should provide schools with their children's Social Security numbers.  
Full Story

SURVEILLANCE

Facial Recognition Technology Seeing “Boom Time” (September 7, 2011)

Forbes reports on the increasing popularity of facial recognition technology, now experiencing its "boom time." The technology is being used by police departments, casinos and bars, among others. Shoe retailer Adidas is now testing the technology in order to market shoes to specific age and gender demographics, and Kraft foods is working with supermarket chains with hopes of installing facial recognition kiosks in order to better target specific consumers. "You can put this technology into kiosks, vending machines, digital signs," said a spokesman for Intel, a developer of the software. "It's going to become a much more common thing in the next few years."    
Full Story

ONLINE PRIVACY

Smartphone Makers Respond to Tracking Allegations (September 6, 2011)

Microsoft has responded to a class-action lawsuit, saying the location data it collects through its Windows Phone camera is not linked to a specific device or user, reports The Next Web. While the suit claims the software collects users' geographical coordinates even after they request not to be tracked, Microsoft says that because it does not collect unique identifiers, "the Windows Phone camera would not enable Microsoft to identify an individual or 'track' his or her movements." Meanwhile, smartphone maker HTC responded to claims that at least two of its phones collect location and personal data, explaining that the data in question is de-identified, encrypted and only collected upon user opt-in.
Full Story

SURVEILLANCE

In Wake of Riots, Report Calls for More CCTV (September 2, 2011)

A report released by the city manager on Thursday recommends that Vancouver beef up its use of closed circuit television cameras (CCTV) at large events, GlobalBC reports. The report follows a review sparked by the June riots that occurred after the Stanley Cup finals. "The city and Vancouver Police Department should bring forward to council an updated policy with regard to the future use of CCTV cameras for special events to assist with monitoring crowd activities, deployment of first responders...and identification of suspects...in the event of a significant disturbance." The use of CCTV for security purposes has been controversial in the past.
Full Story

GEO PRIVACY

Mobile Apps in an Instant-Gratification Society (September 2, 2011)

The Toronto Star looks at the personal information tradeoff inherent in certain mobile app offerings. An investigation last year found widespread transmission of phones' locations by apps. With some developers beginning to offer location-based coupons, there is fear that consumers will be persuaded to share ever more data. "We're very bad at calculating risk or cost, so we make bad choices about sharing information," says privacy researcher and consultant Ashkan Soltani. "Instant gratification will discount things in the future." Soltani adds that legislation requiring consent for data collection probably won't work. "Without baseline privacy protection and a list of acceptable and unacceptable practices, the consent model may create more bad outcomes," Soltani says.
Full Story

SOCIAL NETWORKING

Young Are More Privacy-Aware Than Old (September 2, 2011)

A CBC News report takes a closer look at one of the findings in a survey recently released by the Office of the Privacy Commissioner. The study found that young adults are more privacy-savvy than older users when it comes to understanding and using the privacy controls on social media sites. "They seem to be thinking about privacy a lot more than other generations did, from what we can observe," said Privacy Commissioner Jennifer Stoddart, adding that because social media is such an integral part of their lives, "they're forced to confront privacy issues more often."
Full Story

DATA LOSS

Work: Encryption’s Cheap, Not Used Enough (September 2, 2011)

Data breach notifications are underreported by two-thirds, says Alberta Information and Privacy Commissioner Frank Work. The 90 breach notifications made to Work's office since spring 2010 represent one-third of the number of actual leaks, the Edmonton Journal reports. Work said the breaches are largely due to carelessness, such as people leaving laptops in coffee shops or accidentally sending an e-mail to the wrong person. But they are also due to a lack of data encryption. "For the minimal cost of encrypting information, it's amazing how many organizations still don't do it," Work said.
Full Story

INFORMATION ACCESS

Groups Want Access Case Probed (September 2, 2011)

Newspapers Canada, the Canadian Taxpayers Federation and the BC Freedom of Information and Privacy Association are requesting a probe into why the RCMP dropped its investigation into alleged political interference with the release of government information, the Winnipeg Free Press reports. The incident involved a political aide's refusal to disclose a document requested under the Access to Information Act in 2009. Canada's information commissioner later concluded that the political aide's actions were inappropriate. The RCMP was called in but has dropped its investigation. The three groups wrote a letter this week asking for a House of Commons committee investigation into the matter.
Full Story

PERSONAL PRIVACY

Opinion: Survey Results Concerning, Room for Optimism (September 2, 2011)

Responding to survey results that were released last week by Privacy Commissioner Jennifer Stoddart, a ChronicleHerald.ca editorial asks whether Canadians are "turning a blind eye" to personal data protection on their mobile devices. The results found that less than four in 10 Canadians have made attempts to protect their personal data. "There's also room for optimism," the article notes, because individuals using mobile devices the most--those aged between 18 and 34--were more likely to adjust their privacy settings. Stoddart said, "Young people are sometimes stereotyped as digital exhibitionists who are quite uninhibited in posting comments and personal images...And yet, this new data shows that they not only care about privacy, they are actually leaders in protecting it."
Full Story

PRIVACY LAW

Class-Action Filed on Behalf of Mobile Phone Users (September 2, 2011)

A proposed class-action lawsuit filed on behalf of Windows Phone 7 users in a Seattle, WA, court on Wednesday alleges that Microsoft designed the phone to track customers regardless of their preferences, The Sydney Morning Herald reports. The suit alleges the company designed camera software on the phone's operating system to collect users' geographical coordinates even if they had requested not to be tracked, the report states. The suit also alleges that statements the company made in a letter to the U.S. Congress were "false." 
Full Story

ONLINE PRIVACY

Kundra: Cloud Concerns re: Privacy “Unfounded and Ridiculous” (September 1, 2011)
Former U.S. Chief Information Officer Vivek Kundra is sounding off on governments' reluctance to adopt cloud computing due to privacy and information security concerns, noting the U.S. government's outsourcing of more than 4,700 systems "and yet when it comes to cloud for some reason these fears are raised," reports The Australian. In The New York Times, Kundra  writes that "governments around the world are wasting billions of dollars on unnecessary information technology," adding that cloud computing is often more secure than traditional methods. Taking part in a Digital Agenda panel on Wednesday, Kundra urged government officials to think about how they are serving constituents. "All that money's being spent on redundant infrastructure, redundant application that we're not able to optimize," he said. Meanwhile, Kundra's Digital Agenda co-panelist Vice President of the European Commission Digital Agenda Neelie Kroes said that while she agrees there are benefits to the adoption of cloud computing, the value depends on trust and security in the system, and there are cultural hurdles to overcome that will take time, ZDNet reports. Editor's Note: Navigate, an IAPP executive forum being held on September 14 in Dallas, TX, will feature a special program entitled Putting Cloud Computing on Trial to fully explore these issues.

ONLINE PRIVACY

Sites Personalize Privacy Settings (August 31, 2011)
Image-hosting website Flickr has announced updates to its privacy settings allowing users to customize who sees geotags on shared photos. Users can now use the site's geofence settings to place a "blanket" privacy control on photos based on location, and geotags that do not fit into a specific category will default to the most private setting, ArsTechnica reports. On its blog, the company wrote, "A few years ago, privacy controls like this would have been overkill...But today, physical places are important to how we use the Web. Sometimes you want everyone to know exactly where you took a photo. And sometimes you don't." Meanwhile, Facebook's new privacy controls allow users to determine who can and cannot view posts and requires user approval for photo and post tagging.

PRIVACY LAW—CANADA & U.S.

Officials Say Privacy Must Be Paramount (August 30, 2011)
Amid the release of reports by Canadian Foreign Affairs Minister John Baird in the wake of a declaration between Canada and U.S. leaders on integrating security, the National Post reports on calls for better privacy protections for Canadian citizens. Baird has said, "If we want to ensure cross-border law enforcement activities and other programs, they have to respect the legal and the privacy rights of Canadians. That is incredibly important." Meanwhile, Canadian Privacy Commissioner Jennifer Stoddart is calling for the highest level of privacy protection to cross-border law enforcement, the report states.

ONLINE PRIVACY

Identifiable By Association (August 30, 2011)

In an article for Slate, Kevin Gold discusses the "leaky" nature of online privacy. Pattern recognition software has made it increasingly possible to determine a person's identity not by the data that they themselves have shared online, but by what their friends have shared. A researcher from Northeastern University found that only 20 percent of college students needed to participate in filling out profile information online "in order to deduce facts about the nonresponders who friended others," the report states. Using statistics about common characteristics, it's possible to make a "statistically motivated guess as to whether a person belongs to a particular community."     
Full Story

ONLINE PRIVACY

Virtual World Group Uncovers Real World Data (August 29, 2011)

An organization within the Second Life online virtual world is collecting real-world information on users, sidestepping the sites' terms of use and possibly some data protection laws, reports Avril Korman for Search Engine Watch. While Linden Lab, the company that owns the site, offers tools to customize the user experience, the report states that it is not providing adequate support, causing a rise in self-policing organizations. One such organization has, in concert with others, begun collecting information on "people's real lives, including jobs, medical conditions and family," and posting it to an unsecure wiki site, according to Korman. Some users are dismissing the threat, but Korman says, "Until Linden Lab starts actually managing their own (virtual) land and dealing with security issues in an effective manner, this problem and others like them will continue."  
Full Story

PRIVACY

OPC Releases Survey Findings (August 26, 2011)

A survey of 2,000 Canadians has revealed that many technology users fail to take basic steps to protect their personal information. The 2011 Canadians and Privacy Survey, which was commissioned by the Office of the Privacy Commissioner, revealed that the majority of respondents do not use password locks or device settings to protect their personal data. "Mobile phones increasingly hold a lot of personal information, but it doesn't seem like Canadians think they do," Privacy Commissioner Jennifer Stoddart told Postmedia News. The survey also measured Canadians' attitudes about privacy as it relates to social networking, national security and other areas.
Full Story

PRIVACY LAW

Opinion: Privacy Laws Aren’t The Problem (August 26, 2011)

In an opinion piece for The Hamilton Spectator, Ontario Privacy Commissioner Ann Cavoukian responds to criticism about the province's privacy laws, suggesting that it's generally not the privacy laws that are to blame in cases where the laws are seen as obstacles but those who implement them. "Privacy forms the basis of our freedoms--it is the necessary underpinning of liberty," Cavoukian writes. "Blaming privacy laws puts our democratic freedoms at risk without addressing the real problem, which may be bureaucratic inertia, misguided policies, inefficient practices or simple misunderstanding of those laws."
Full Story

DATA PROTECTION

Work: Practices Not Improving (August 26, 2011)

Alberta Privacy Commissioner Frank Work says people are not getting better at protecting their personal information and that the statistics for hacking breaches are "startling." The Calgary Herald reports that there have been 90 complaints made to Work's office in 16 months. "I'm running out of superlatives when we know people are going to lose things and why we're not taking more precautions," Work said. Noting the importance of computer encryption, Work added, "If you run out-of-date computer operating systems and anti-virus software, along with unneeded administrator accounts, you will be owned by hackers."
Full Story

INFORMATION ACCESS

Court Rules Gov’t Should Provide Documents (August 26, 2011)

An article in The Hill Times discusses the federal court's recent decision that the government should release information on a former politician. The case involved a Canadian Press reporter who filed an access of information request to Library and Archives Canada for records on a former NDP leader. The government denied his requests, and the information commissioner validated the denial. But the court declared recently that the government should inform the reporter if additional information exists, saying that withholding the historical documents ran counter to the library's mandate to aid the "acquisition, preservation and diffusion of knowledge."
Full Story

SOCIAL NETWORKING

Facebook Rolls Out Privacy Changes (August 26, 2011)

The Financial Post reports on Facebook's recent changes to its privacy settings. The changes allow users to check a box indicating which friends can see which online posts; share locations from PCs and laptops; control being "tagged" by others in posted photos, or choose to block a user entirely--disabling them from photo tags or other interactions on the site. The company wants to make the sharing options "unmistakably clear," said a Facebook spokesman.
Full Story

PRIVACY

OPC Announces New Advisory Committee Members (August 26, 2011)

The Office of the Privacy Commissioner (OPC) has announced the addition of three new members to its external advisory committee. Mark McArdle, a technology executive; Loreena McKennitt, a singer and composer who won a landmark human rights privacy case in 2006, and Jean-François Renaud, the associate founder of a consulting company, will join the 18-member committee, which provides advice on the OPC's strategic direction.
Full Story

ONLINE PRIVACY

Gamers Say Licensing Agreement Goes Too Far (August 26, 2011)

Some gamers who have looked closely at one gaming company's end-user licensing agreement (EULA) say the policy goes too far. In order to download EA Origin games, players must agree to allow EA Origin to collect, use, store and transmit information that identifies their computers. "EA may also use this information, combined with personal information for marketing purposes and to improve our products and services," the EULA says. "We may also share that data with our third-party service providers in a form that does not personally identify you." One user has launched a campaign to "raise awareness of Origin's privacy violation," International Business Times reports.
Full Story

PRIVACY LAW—CANADA

Company Settles Over Robocalls (August 25, 2011)

Canada's minister of industry says he's pleased with the settlement between the Canadian Radio-television and Telecommunications Commission (CRTC) and Goodlife Fitness Centres, Inc. The settlement is related to the company's telemarketing methods using "robocalls" without members' prior consent. Using automatic dialing-announcing devices without prior consent is forbidden under CRTC guidelines. The company has agreed to pay $300,000; publish corrective notices in newspapers and on its website; cease the robocalls, and organize a business education event with the CRTC to encourage telemarketing compliance, the report states. Minister of Industry Christian Paradis said the settlement is "good news for Canadian consumers."   
Full Story

IDENTITY THEFT

Caller ID Spoofing Threatens Personal Privacy (August 23, 2011)

The New York Times reports on the rise of an easy-to-find and legal service known as "spoofing" that allows identity thieves to access others' voicemail accounts by disguising their phone numbers and consumer advocate Edgar Dworsky's recent finding that thieves can also access some automated bank and credit card systems. Many mobile phone providers and financial institutions have phone systems that disclose personal information--like recent purchases--when a call is made from the customer's phone number. "There are additional steps mobile phone companies and the card issuers could take to stop this sort of thing from ever happening," the report states. "The fact that many of them don't, however, makes this your problem to solve." (Registration may be required to access this story.)  
Full Story

BEHAVIORAL TARGETING

Company Advises Against UDID (August 22, 2011)

Software developers who build programs for Apple's operating system have been asked by the company to avoid using unique device identifiers (UDID) in software for its iPhones and iPads, The Wall Street Journal reports. UDIDs make it easier for advertising networks, analytics firms and others to observe and track users' online behavior. A deadline for the change has not been specified, but the company's website tells developers that the tracking tool "has been superseded and may become unsupported in the future." The Center for Democracy & Technology's Justin Brookman said, "I want to see how this all plays out, but at first glance, this is a really good result for consumers." (Registration may be required to access this story.)        
Full Story

PRIVACY LAW

Expert: Student Texting Incident Could Be Charter Case (August 20, 2011)

A Saskatchewan student whose grandparents filed a lawsuit after his school's vice-principal read his text messages may be able to argue his privacy was violated under the Charter of Rights and Freedoms, The StarPhoenix reports. Sanjeev Anand, dean of the University of Saskatchewan's law school, said while the Supreme Court has found that school authorities can search students at school, "the question becomes the extent of the search...What is less clear is whether the vice-principal could engage in a more extensive search of the actual texts on the phone. It may be that this search by the school official may be found to be unconstitutional."
Full Story

PERSONAL PRIVACY

Privacy Included in “Smart” Security Product (August 20, 2011)

CBC reports on new technology allowing homeowners to control appliances and thermostats remotely using a smartphone. Ontario Information and Privacy Commissioner Ann Cavoukian said such technologies bring significant benefits to people's lives and that privacy concerns would only surface if the personal information was sent to a central monitoring station. The vice president and general manager of Rogers Smart Home Monitoring, which offers the new service, says building privacy into the product was important. Each user has a four-digit password in order to control appliances, and the central monitoring system doesn't have access to smartphones' e-mails, text messages or cameras, he said.
Full Story

DATA LOSS

91 Cases and Counting (August 20, 2011)

Alberta's privacy commissioner has launched nearly 100 investigations into privacy breaches since May 2010, CTV reports. A recent case involving several boxes of sensitive mortgage documents found in a dumpster prompted Privacy Commissioner Frank Work's 91st investigation. The recovered documents included licence, bank account and mortgage numbers. "For heaven's sake, smarten up," Work said, referring to those responsible for the incident. "Some of the things we're seeing are utterly irresponsible."
Full Story

SURVEILLANCE

Council Debates Surveillance Policies (August 20, 2011)

At its annual policy review last week, Trent Hills Council discussed whether its video surveillance policy meets the standards established by Ontario's privacy commissioner when it comes to video camera placement and data retention. One councillor claimed that a camera placed outside a municipal library that records activity at the municipal pool across the street is in violation of the standard that cameras should monitor the property at which they're located, Northumberland News reports. Clerk Marg Montgomery said surveillance cameras on municipal property must adhere to the Municipal Freedom of Information and Protection of Privacy Act and the cameras helped to catch vandals last year.
Full Story

PRIVACY LAW

OPC Releases PIPEDA Guidance for Lawyers (August 20, 2011)

The Office of the Privacy Commissioner of Canada (OPC) has announced the release of a handbook to help lawyers become more familiar with the Personal Information Protection and Electronic Documents Act (PIPEDA). Launched at the Canadian Bar Association Canadian Legal Conference and Expo 2011, PIPEDA and Your Practice--A Privacy Handbook for Lawyers provides best practices for personal information management, use, collection, disclosure and response. "While lawyers may be familiar with privacy laws in general," says an OPC spokeswoman, "they may benefit from some concrete guidance on how to apply the laws to their own practice."
Full Story

SURVEILLANCE

Opinion: Lawful Access Legislation Too Invasive (August 20, 2011)

In an column for The Globe and Mail, Lawrence Martin contends that proposed "lawful access" legislation will give law enforcement authorities "a freer hand in spying on the private lives of Canadians." Martin writes that 9/11 changed "the view that the citizen's right to privacy was paramount...and now the expansion of intrusive power is set for passage as part of the Conservatives' omnibus law-and-order legislation." Noting that the nation's federal and provincial privacy commissioners "are lining up against the legislation, as are citizens' groups," he warns that combining "the lawful access measures in the omnibus crime package will help limit debate and public rancour."
Full Story

DATA LOSS

Opinion: Insurance Policies Rarely Cover Breaches (August 20, 2011)

In an article for The Lawyers Weekly, Gordon Hilliker discusses the importance of liability insurance. "Any organization with a website, online storage facilities or even just an e-mail account is vulnerable to a claim that it has caused damage to another's computer software or data," he writes. Most organizations purchase a commercial general liability policy. However, such a policy generally does not cover data breaches. A Sony insurer, for example, recently filed a suit claiming it's not responsible for legal costs following the company's data breach. The Insurance Bureau of Canada has revised its policy to exclude data breach coverage. Hilliker advises organizations to seek policies that specifically cover cyber risks.
Full Story

HEALTHCARE PRIVACY

Opinion: EHRs Have Many Benefits (August 20, 2011)

Responding to an op-ed piece published in The Windsor Star last week, Ontario Information and Privacy Commissioner Ann Cavoukian highlights the benefits of moving to electronic health records (EHRs). The op-ed followed news that nearly 12,000 screening reports went missing. "Your comment," Cavoukian wrote, "that this incident should also 'be raising the concern about the ability of eHealth' doesn't follow. It is too simplistic...there are actually many benefits to electronic solutions from a privacy perspective."
Full Story

DATA PROTECTION

Opinion: Are PIAs Enough? (August 19, 2011)

In a Communications of the ACM article, David Wright of Trilateral Research considers whether privacy impact assessments (PIAs) should be mandatory. As databases grow, so do data breaches. PIAs are a reasonable tool for any organization managing personal data, but are they enough? Wright says no; the most effective way to protect sensitive information is to use PIAs with a "combination of tools and strategies, which include complying with legislation and policy, using privacy-enhancing technologies and architectures and engaging in public education..." Whether PIAs will become mandatory, in the meantime, remains to be seen. (Registration may be required to access this story.)      
Full Story

ONLINE PRIVACY

Researchers Uncover “Supercookies” (August 18, 2011)
The Wall Street Journal reports on the latest online tracking methods, including the existence of "supercookies" found on popular websites. Researchers at Stanford Univeristy and the University of California at Berkeley say that supercookies are able to recreate a user's profile even after normal cookies are deleted. According to the report, companies who were found to be using the tracking technology have since stopped the practice. A Microsoft representative said as soon as the supercookies were "brought to our attention, we were alarmed. It was inconsistent with our intent and our policy." Hulu said in an online statement that it "acted immediately to investigate and address" the supercookie issue. (Registration may be required to access this story.)

BEHAVIORAL TARGETING—CANADA

Paperless Receipts Raises Privacy Concerns (August 15, 2011)

CTV News reports on the increased use of paperless receipts by large retailers and the subsequent privacy issues that accompany the new shopping option. To get the electronic receipt, customers must provide an e-mail address, which allows marketers to cross-reference preferences and buying habits. The Office of the Privacy Commissioner's Anne-Marie Hayden says that Canadian privacy laws require that retailers inform customers about the use of their data, adding that customers "should be aware of the implications of choosing an e-receipt over a paper one" because "an e-receipt creates a record that could be tied back to them."
Full Story

DATA PROTECTION

Tokenization Guidelines Released (August 15, 2011)

The Payment Card Industry Security Standards Council (PCI SSC) has released guidelines on tokenization, SC Magazine reports. The PCI DSS Tokenization Guidelines Information Supplement provides suggestions for "developing, evaluating or implementing a tokenization solution, including insight on how a tokenization solution may impact the scope of PCI DSS efforts," the report states. "These specific guidelines provide a starting point for merchants when considering tokenization implementations. The council will continue to evaluate tokenization and other technologies to determine the need for further guidance and/or requirements," said PCI SSC General Manager Bob Russo. 
Full Story

STUDENT PRIVACY

Suit Filed After Texting Case (August 12, 2011)

The Toronto Star reports on a lawsuit filed by the grandparents of a Saskatchewan student whose vice-principal confiscated his cell phone after it rang in class and read the then 12-year-old's text messages. The student was then required to assist police in recovering a stolen vehicle, and the grandparents are alleging school officials invaded the boy's privacy and "jeopardized his safety."  The school board has said the teen did not have "any reasonable expectation of privacy in relation to text messages sent or received by him using his cellular telephone during school hours" as it was in violation of school policy, the report states.
Full Story

PRIVACY LAW

How To Comply with Ontario’s New FIPPA (August 12, 2011)

All public and private hospitals will be subject to the provisions of the Freedom of Information and Protection of Privacy Act (FIPPA) when the newly broadened law becomes effective on January 1, 2012. The act will apply retroactively to January 1, 2007, and will apply to all records held or under the control of the hospitals. In this Canada Dashboard Digest exclusive, privacy experts from Deloitte discuss what hospitals need to do in order to comply.  
Full Story

DATA PROTECTION

Rioters’ Smartphone Use Spotlights Lawful Access Laws (August 12, 2011)

Rioters in the UK are using BlackBerry's secure Messenger service to organize, prompting privacy concerns surrounding government access to communications. In Canada, some privacy advocates are concerned that the situation will promote the passage of the Conservative government's proposed "lawful access" legislation that would give authorities warrantless access to certain communications data, reports The Vancouver Sun. One surveillance expert says politicians use political unrest to push through laws that, in this case, allow for "a generalized collection of private information to deal with very specific crimes by a small number of people." He called the law "dangerous for privacy, and it removes the element of judicial oversight from the system."
Full Story

PERSONAL PRIVACY

Bus Driver’s Privacy Debated (August 12, 2011)

CBC News reports on a bus drivers' union claims that a Société de Transport (STO) driver's privacy was invaded when a passenger recorded him filling out paperwork while driving his bus in Gatineau, Que. The passenger posted the video to YouTube. Quebec's privacy commission said that the STO falls outside its jurisdiction because it is a nonprofit organization. The information and privacy commissioner of neighboring Ontario, Ann Cavoukian, described the union's claims as "outrageous," saying, "When you are performing a job, in this case a public service involving public safety...you do not have a privacy interest because your work should be transparent."
Full Story

IDENTITY THEFT

Commissioner Warns of Potential Fraud (August 12, 2011)

Privacy Commissioner Jennifer Stoddart has warned citizens to be more protective of their personal information at retail stores. She notes that individuals do not have to disclose their phone numbers, area codes or other similar data when making a purchase, warning that it increases the chances of identity theft. "The more personal information that's collected about you," Stoddart said, "the more risk you run of identity theft or being the victim of fraud, so be very careful about the personal information you give out," 680News reports.
Full Story

BIOMETRICS

Researcher Introduces New Facial Recognition Software (August 12, 2011)

New facial recognition technology that can identify individuals irrespective of their placement within a photo was unveiled Tuesday at a conference in Vancouver, the Toronto Sun reports. The software is capable of scanning thousands of photos into a database where "telltale signs" of individuals' hair, eyes and ears can be recognized. Similar technology is used by the Insurance Corporation of BC to help police identify assailants, but the province's privacy commissioner is monitoring its use. The researcher who unveiled the technology queried, could "government just use this technology...to look for a particular person? It's not our method, but yes."
Full Story

PRIVACY LAW

Experts Urge Gov’t To Examine Crime Bill Provisions (August 12, 2011)

Citing privacy concerns, a consumer watchdog group is asking the government to study provisions that were included in three surveillance bills during the previous parliamentary session, the CBC reports. The provisions would require Internet service providers to give law enforcement authorities customer data without a warrant. One lawyer familiar with the bills said, "The overarching concern is it's an erosion of civil liberties and online privacy with no real justification for it."
Full Story

HEALTHCARE PRIVACY

Opinion: eHealth Records Deserve Protection (August 12, 2011)

In an opinion piece, The Windsor Star writes that the recent loss of approximately 12,000 colon cancer screening reports raises privacy concerns around eHealth records. The column asserts that the loss of the tests "should also be raising concern about the ability of eHealth...to manage sensitive health information and ensure privacy." The loss of sensitive health data "could have a profound impact on families, careers and an individual's future if it gets into the wrong hands." One IT specialist said of the eHealth project that no data is secure and a "guarantee of privacy remains impossible." 
Full Story

Company Cancels Advertising Scheme (August 12, 2011)
LinkedIn has announced that it will no longer pursue its new form of advertising called "social ads," which shared users' activities and included their pictures, The Wall Street Journal reports. The company began testing the initiative in late June after announcing it to users. Complaints about user privacy followed, including a statement from the Dutch Data Protection Authority that the company's changes may have breached Dutch privacy law. The company's head of marketing solutions told users, however, that "The only information that (was) used in social ads is information that is already publicly available and viewable by anyone in your network." (Registration may be required to access this article.)

SOCIAL NETWORKING

Threat To Destroy Site May Be Hoax (August 12, 2011)

A reported threat by a hacker group to destroy Facebook on November 5 may have been a hoax, reports eWeek. The group claimed earlier this week that it would destroy Facebook on the grounds of privacy issues, stating that the site's privacy controls are lacking. But some are skeptical about the claims. The CEO of Kapersky Lab, Eugene Kaspersky, tweeted about the news on Wednesday, saying it "most probably is fake." Others have also registered skepticism.  
Full Story

Changes to the Freedom of Information and Protection of Privacy Act (August 9, 2011)

 

Megan Brister Michelle Gordon Alain Rocan Miyo Yamashita

 

In 2012, Ontario will usher in a new era of transparency and oversight by including all public and private hospitals under the scope of the Freedom of Information and Protection of Privacy Act (FIPPA). On December 8, 2010, the Ontario government passed legislation to broaden the scope of FIPPA and designate hospitals as “institutions” under the act. This gives hospitals approximately one year to comply with FIPPA, the changes to which will be effective on January 1, 2012.

“In my 2004 Annual Report, I urged the Ontario government to compile and review institutions that are primarily funded by government but not yet covered by the Acts. One of the foundations underlying FOI is the principle that organizations that exist by virtue of public funding should be subject to public scrutiny through FOI laws. Now, the Ontario Hospital Association has asked the province to place Ontario hospitals under the act.”

—Commissioner Ann Cavoukian, 2009 Annual Report

FIPPA will apply to all records held or under the control of the hospitals. The act will apply retroactively to January 1, 2007. Under the amended FIPPA, the general public will have a right of access to hospital administration, financial and other records, unless the records are excluded from the right of access or subject to an exemption under FIPPA, as would be the case for patients’ personal health information.

Unlike the Personal Health Information Protection Act, which allows a person to access only records about him or herself, the right of access under FIPPA applies to records about every person. The newly revised legislation will allow anyone to access any record held or controlled by an institution on any issue, subject to the exclusions and exceptions set out in the act. A record may include any information concerning procurement, employees, strategic plans and budgets.

What do hospitals need to do to comply?

Hospitals will need to complete a number of operational tasks this year to ensure they are ready for their new obligations under FIPPA in 2012.

“A record number of Freedom of Information requests were filed across Ontario in 2010. A total of 38,903 requests were filed in 2010, eclipsing the previous record of 38,584, set in 2007. The spike in 2010 represented the first increase in FOI requests in three years.”

—Commissioner Ann Cavoukian, 2010 Annual Report

Conduct an inventory of records subject to FIPPA

Deloitte...

ONLINE PRIVACY

The War On Anonymity (August 8, 2011)

A SPIEGEL International report discusses what some describe as a war on online anonymity. Some say anonymity is the Internet's greatest strength--promoting free speech and privacy--but others see it as increasingly dangerous. In the wake of terrorist acts and cyber-bullying worldwide, there is a push to reveal the identities of extremist bloggers and online bullies. In fact, a Carnegie Mellon study found that when users were required to identify themselves by using their real names, they behaved in a more civilized way. However, an American Association for the Advancement of Science report states that "Anonymous communication should be regarded as a strong human right."  
Full Story

SOCIAL NETWORKING

Start Up Allows for Privacy On the Web (August 8, 2011)

A social network launched in April of this year claims to give people "real-world style, disposable interaction on the web," reports PaidContent. In an interview, SecretSocial co-founder Zubin Wadia discusses the idea behind the company and its plans for the future, including becoming the "go-to place" for private conversations when using other online networks. All SecretSocial conversations have an expiration date set by the users involved, at which time the conversation is deleted from user browsers as well as the company's servers. According to Wadia, one of the problems behind Internet privacy is the assumption that data needs to be retained forever. "A lot of this data analysis, complex or not, can occur in realtime," he says.
Full Story

PERSONAL PRIVACY

National Security and Personal Privacy: Can They Coexist? (August 5, 2011)

The Toronto Star looks at how 9/11 has and will continue to shape national security and the resulting impact on civil liberties and personal privacy. Analyst Christopher Sands predicts that the Canada-U.S. border will become "a data collection location," where scanners, transponders and chips will work together to identify us and collect duties, for example. Sands says this scenario would mark a shift towards liberty--a new "don't hassle me" environment. Ontario Information and Privacy Commissioner Ann Cavoukian says she is "very optimistic" about the prospect of security and privacy co-existing, because "You can't have liberty and freedom without privacy."

Full Story

PRIVACY LAW

Geist: Court Oversight Key (August 5, 2011)

In the Ottawa Citizen, Internet law expert Michael Geist discusses last week's Ontario Superior Court decision in the case of a former mayor. The court ruled not to force exposure of the identities of anonymous posters to a website's chat forum who, the plaintiff claimed, defamed her. Geist discusses the court's decision-making process, and says, "Given the court's careful analysis of the speech and privacy issues, the case also provides a reminder of the value of court oversight before ordering the disclosure of personal information. This may be in jeopardy since the government is currently contemplating lawful access legislation that requires such disclosures without court oversight, tilting the balance away from privacy and creating a potential chill for those speaking out online."

Full Story

DATA PROTECTION

PET Award Winners Named (August 5, 2011)

Ontario's Information and Privacy Commissioner and Microsoft have named the winners of the 2011 Award for Outstanding Research in Privacy Enhancing Technologies (PET Award). The authors of a paper on the protection of genetic information and a researcher who raised awareness about the privacy vulnerabilities present in microtargeting advertising systems are this year's winners. "With emerging technologies growing rapidly in every area of our lives, leading-edge research into privacy is necessary to protect everyone's personal information. I applaud the winners on their remarkable achievement and innovation." The PET Award was created in 2003 to encourage privacy-enhancing technological development.

Full Story

 

DATA PROTECTION

Report Identifies Global Cyberspying (August 5, 2011)

A U.S.-based cybersecurity company has issued a report stating that it has identified a single cyberspying perpetrator that has infiltrated governments around the world as well as U.S. corporations and U.N. groups over the course of the past five years, The New York Times reports. Stating the attacker may be a "state actor," the report did not disclose the location of the transgressing computer system or the specific business targets. McAfee, the company that issued the report, said it has identified 72 targets, 49 of which are U.S.-based. Department of Homeland Security Secretary Janet Napolitano said of the report, "We obviously will evaluate it, look at it and pursue what needs to be pursued in terms of its contents." (Registration may be required to access this story.) 

Full Story

BEHAVIORAL TARGETING

Web Tracking Raises Revenue, Threatens Privacy (August 4, 2011)
USA Today reports on the rise in online tracking for behavioral advertising and the subsequent challenges tracking poses to personal privacy. Privacy advocates are concerned that digital shadowing will erode "traditional notions of privacy," while new research suggests that as more companies exercise online tracking, opportunities for the loss of privacy increase, the report states. Ernst & Young's Sagi Leizerov, CIPP, says, "It is a mistake to consider tracking benign...It's both an opportunity for amazing connections of data as well as a time bomb of revealing personal information you assume will be kept private."

ONLINE PRIVACY

Company To Sell Tracking Abilities to Merchants (August 4, 2011)

Online deals company Foursquare is looking to bring in revenue by selling its merchants software that will enable them to track--and therefore better target specials to--their customers who use the service. Traditionally, social media companies have turned to advertisers to monetize "free" services, and Foursquare's method may end up putting them in the center of the privacy debate, according to Erik Sherman, writing for BNET. "The minute you start analysis on people at specific stores, particularly smaller stores with repeat customers, consumer anonymity begins to fade," Sherman writes. "Set the right specials, and a store owner could begin matching faces, names (especially from credit card purchases) and online identities."
Full Story

EMPLOYEE PRIVACY—CANADA

Medical Records Used in HR Investigation (August 4, 2011)

According to the Alberta Office of the Information and Privacy Commissioner (OIPC), Alberta Health Services (AHS) violated the Health Information Act when it used an employee's addiction counseling information in a human resources investigation. After signing a consent form to allow his health records to be shared with his treating physician, the employee's records were given to the AHS human resources department to determine "the fitness of the employee to continue his duties," reports the Edmonton Journal. An AHS spokesperson said the company would comply with the OIPC's request to change their data sharing policies in these circumstances.   
Full Story

GEO PRIVACY

Company Limits WiFi Location Database (August 2, 2011)

CNET News reports that Microsoft has stopped publishing the locations of WiFi connections on its Live.com database. Access to the website has been restricted as of last Saturday, according to the report. The location data was gathered from Windows Phone 7 phones and "managed driving" that records WiFi signals accessed from public roads. A Microsoft representative wrote, "This change improved filtering to validate each request so that the service will no longer return an inferred position when a single Media Access Control address is submitted," adding, "We will continue to update our service with improvements that benefit the consumer in both positioning accuracy as well as individual privacy."  
Full Story

PRIVACY LAW—CANADA

Commissioner Takes Prison Agency to Court (August 1, 2011)

The Office of the Privacy Commissioner (OPC) is taking the federal agency responsible for the country's prison system to court for allegedly violating the Privacy Act, the National Post reports. Stoddart says that on two occasions the Correctional Service of Canada has not appropriately responded to requests to provide inmates with the personal information the prison system keeps about them. The Privacy Act requires government agencies to provide personal information within 30 days of a request. The OPC's communications director, Anne-Marie Hayden, says, "In both complaints, our investigators found that the Correctional Service of Canada had failed to give complainants timely access to their personal information."  
Full Story

BIOMETRICS

Study: Facial Recognition Technology Powerful, Intrusive (August 1, 2011)

The Wall Street Journal reports on research conducted at Carnegie Mellon University that successfully identified approximately one-third of participants using the same facial recognition technology recently acquired by Google. Using profile data from Facebook, the study's author could also correctly predict the first five digits of the participants' Social Security numbers nearly 27 percent of the time. One law professor notes that the combination of available, "anonymous" online data and the technology makes re-identifying people possible. The study's author says, "This paper really establishes that re-identification is much easier than experts think it's going to be." (Registration may be required to access this story.) 
Full Story

PERSONAL PRIVACY

Commissioner Investigating Utility Data Collection (July 29, 2011)

BC's privacy commissioner will investigate a utility's smart meter program to ensure it complies with privacy laws, The Vancouver Sun reports. Commissioner Elizabeth Denham says she will investigate BC Hydro's program after her office received numerous complaints that the smart meters collect personal information that may breach privacy. "The privacy and security of energy consumption data is a very real issue for citizens throughout the province," Denham said. "With an increase in the frequency of the information collected from smart meters comes an increased responsibility on BC Hydro to ensure that privacy and security is built into the grid."
Full Story

ONLINE PRIVACY—CANADA

Privacy by Design: A Boon to Business (July 29, 2011)

Kashmir Hill interviews Ontario Information and Privacy Commissioner Ann Cavoukian for Forbes about the ways Privacy by Design is helping improve consumer trust. "One of the core principles," says Cavoukian, "is for companies to make users' data private by default." Privacy By Design means "simply that companies are starting to bake privacy into their products, relying less on privacy policies few bother to read," Hill writes. And the notion is starting to take off globally; U.S. lawmakers incorporated the term into a recently proposed bill, and Hill shows examples of companies' use of the principle. "Privacy has historically been viewed as an impediment to innovation and progress, but that's so yesterday and so ineffective as a business model," Cavoukian says.
Full Story

DATA LOSS

Officials: Missing Records Show EMRs Needed (July 29, 2011)

Ontario's privacy commissioner is investigating a breach that occurred when Cancer Care Ontario mailed about 12,000 cancer screening tests, itbusiness.ca reports. Commissioner Ann Cavoukian, echoing the sentiment of Premier Dalton McGuinty, said the loss supports the case for reliable electronic medical records systems, adding, "In this day and age, how could Cancer Care Ontario decide to send hard copies of sensitive personal data of patients through the mail? How could Canada Post have lost track of the records?" Cancer Care Ontario alerted the commissioner's office of the missing screening tests on June 27. A search for the records turned up about 5,000 in physicians' offices.  
Full Story

ONLINE PRIVACY

Opinion: Notification Laws Needed (July 29, 2011)

Between large-scale data breaches bringing light to inadequate cybersecurity practices and the volumes of data that companies hold about their customers, privacy concerns are bubbling to the surface, but the lack of a breach notification law puts consumers at greater risk, reports The Mark. "It comes down to meaningful consent, which entails informed consent," said Privacy Commissioner Jennifer Stoddart, who has taken on industry giants in her efforts to protect consumer privacy. Delaying breach notification, according to the report, puts consumers at risk as they continue to use compromised websites and, at times, allows companies to downplay breaches. 
Full Story

BIOMETRICS

Commissioner: Facial Recognition With Privacy Is Possible (July 29, 2011)

While social networks struggle with appropriate ways to use facial recognition technology, organizations across Canada have implemented it for a wide range of purposes, and Canadian "e-passports," expected out next year, will also contain a chip to be used with the technology, reports The Globe and Mail. One privacy expert says "there is a tendency to over-rely on technology," adding, "It has the potential to slip from one purpose to the next so easily no one stops to ask why or what are you doing with it." Ontario Information and Privacy Commissioner Ann Cavoukian also warns of the risks of unintended use, but says privacy is possible in these technologies with proper controls. 
Full Story

BIOMETRICS

No “Tag Suggestions” for Canada (July 29, 2011)

While Facebook works to address privacy concerns for its "Tag Suggestions" facial recognition feature across many regions of the globe, Canadians have not yet had the opportunity to try it out for themselves. The Globe and Mail reports that a Facebook spokesman said the company currently has no plans to offer Tag Suggestions to Canadians. Meanwhile, privacy concerns surrounding the service have sparked a coalition in the U.S. to bring a complaint to the Federal Trade Commission, and European privacy watchdogs are also looking into possible privacy violations. But a U.S. state attorney general issued a statement following a meeting with Facebook officials saying the company "has made significant changes that will provide better service and greater privacy protection to its users."  
Full Story

PERSONAL PRIVACY

Technology Increasingly Diminishing Anonymization (July 29, 2011)

CNET News reports on one operating system's collection of millions of devices' location-based data, including laptops, cell phones and other WiFi devices. According to the report, Microsoft collects and publishes such locations--which can be as specific as a street address--to a database intended to help deliver location-based search results such as weather, movie times, maps and directions. Meanwhile, a Stanford researcher lists the ways identity can be linked to data that was initially collected anonymously, and an article in The Economist reports on soon-to-be unveiled research demonstrating the ease with which facial recognition technology can be used to identify "random passersby" and "personal details about them."
Full Story

PRIVACY

Opinion: Right to Privacy Definitions Need Updating (July 26, 2011)
In The Wall Street Journal, L. Gordon Crovitz writes that in light of a phone hacking scandal, definitions of the right to privacy need to be updated. The debate surrounding the right to privacy in recent years has focused on new media, he writes, "but when we post details about ourselves on social media or reply to online marketing, we are choosing to become less private." Hacking phones is "a clear-cut violation of privacy," Crovitz writes, "but the clarity of this violation highlights how much ambiguity there is in other claimed areas of privacy."

PRIVACY

Privacy Leads 2011 Concerns (July 26, 2011)

ReadWriteWeb reports on privacy concerns as a top trend of 2011 so far. The report looks at privacy-focused social networks and examines concerns about smartphones and a do-not-track mechanism. The report predicts that, in response to Google's social network that allows users to publish information to targeted "circles," Facebook will likely enable selective sharing by the year's end. The report also notes researchers' revelation that smartphones are capable of storing user location data, noting a survey by TRUSTe indicating that 77 percent of respondents don't want their location data shared. 
Full Story

DATA LOSS

Preparing for Mandatory Breach Notification (July 25, 2011)

As data security breach notification requirements become more widespread on a global scale, businesses are at greater risk for brand damage, customer loss and regulatory scrutiny. In a special pre-release article for the September issue of The Privacy Advisor, Baker McKenzie's Brian Hengesbaugh, CIPP, Michael Stoker and Daniel Krone discuss the 10 steps every organization should take to address these requirements. They say an organization's actions "should be tailored to reflect its industry; geographic footprint; data collections and transfers; history of data security incidents," and other factors. The authors outline specific steps organizations can take. (IAPP member login required.)
Full Story

ONLINE PRIVACY

Commissioner: Better Online Privacy Protections Needed (July 22, 2011)

Assistant Privacy Commissioner Chantal Bernier says Canadians navigating the Internet should have better protections of their personal privacy from companies that use, sell and leave their information unprotected, the Toronto Star reports. Bernier also thinks a recurring five-year review by a committee in parliament would help allay online privacy concerns as well as determine whether the privacy commission could have the authority to fine violators. "There will be a big focus on the privacy of individuals using the Internet," says Bernier, "to see whether the current legislation is sufficient to address this new context."
Full Story

BIOMETRICS

OLG: Facial Recognition Targets “Problem Gamblers” (July 22, 2011)

Rideau Carleton Raceway is one of a number of Ontario-based casinos that have begun using facial recognition technology to prevent "problem gamblers" from entering casinos, the Ottawa Citizen reports. The Ontario Lottery and Gaming Corp. (OLG) introduced the new technology this spring to help with the province's estimated 300,000 "problem gamblers." The OLG's Paul Pellizzari says 19 out of the province's 27 casinos are now using facial recognition systems, adding, "We took what the industry standard was for encryption and we enhanced it and did a number of other things to make it hard to hack into. But if it was hacked into, unauthorized people would not be able to access the data."
Full Story

INFORMATION ACCESS

Open Government Websites Launched (July 22, 2011)

The British Columbian government has rolled out two new websites that will give the public access to databases and documents disclosed under freedom-of-information requests, CBC reports. One website features nearly 2,500 databases, which are available to download digitally and include birth rates, cancer statistics and budget figures, according to the report. A second website will allow freedom-of-information request access but will only be available for three days per request. Information and Privacy Commissioner Elizabeth Denham has applauded the sites but says there is more work ahead. "I think, over time, government will become more used to putting the data out there," says Denham. "But by doing so, they obviously open themselves up to criticism."
Full Story

DATA PROTECTION

Commissioner Discusses Privacy By Redesign (July 22, 2011)

In an interview with BankInfoSecurity, Ontario Information and Privacy Commissioner Ann Cavoukian discusses strategies that incorporate privacy into existing systems. Privacy By Redesign attempts to implement privacy strategies by looking at data use, what is permissible and the creation of a consent management system. "How can we expand the notion of embedding these protections proactively into the system," Cavoukian says, "so that it automatically knows when to seek out additional consent." The interview also covers the fundamentals of Privacy By Design, Privacy By Redesign's goals and ways organizations can improve privacy structure.
Full Story

PRIVACY LAW

Opinion: OPC Popularity “Remarkable” (July 22, 2011)

In a column for the London Free Press, David Canton considers a call by scholars for the Office of the Privacy Commissioner (OPC) to be granted "limited power to make orders, including the ability to impose penalties such as fines." Such a change would "significantly increase the power and authority of the privacy commissioner," he writes, noting the "remarkable" popularity of the OPC, which "received 200 requests to present speeches and attended and delivered 150 speeches and presentations in 2010." He also notes that Stoddart has "received more than 250 media requests; launched a blog, youth website and youth blog; sent out 700 tweets, and attracted almost 2,000 followers on Twitter."
Full Story
 

EMPLOYEE PRIVACY

Opinion: Employers Should Assess Reasonable Expectation of Privacy (July 22, 2011)

In a column for the Financial Post, Drew Hasselback writes that employers have the right to know what an employee does on a company-issued computer, but employers should be careful about how they weigh their rights against an employee's privacy rights. Hasselback says that the "heart of the matter is reasonable expectation of privacy." Implementing formal policies that clearly state an employer's expectations and rights is a first step, but "even with a clear policy in place, the employer needs to consider whether the employee has a reasonable expectation of privacy over the files or e-mails." A Vancouver-based attorney adds that before an employer starts monitoring usage, "Ask yourself: Is there a less privacy-intrusive way to do it?"
Full Story

BEHAVIOURAL TARGETING

Opinion: Search Algorithms Affect Awareness (July 22, 2011)

An Ottawa Citizen report explores how behavioural advertising, search algorithms and Internet filtering are changing the types of information individuals receive. Many individuals are not aware that their browsing and search habits, computer type and location affect results from search engines. If individuals search for news online, they may only receive what is relevant, and that means "our understanding about what's happening in the world could be diminished," the report states. Corporations should gather and use personal information responsibly, but, the report states, users have a "growing responsibility, too, to become aware and self-aware...to guard against locking ourselves away in echo chambers of our own devising."
Full Story

DATA PROTECTION—CANADA

Commissioner Recommends Charges Against Doctor (July 21, 2011)

Saskatchewan Information and Privacy Commissioner Gary Dickson has released a report that includes 11 recommendations in response to the discovery of patient health records found in a dumpster earlier this year. Dickson has named a doctor as a "trustee responsible for the records" and has recommended that legal action be taken against the individual and clinic for violation of the Health Information Protection Act, The StarPhoenix reports. "This is without question the largest breach of patient privacy that our office has encountered in eight years since the Health Information Protection Act was enacted," Dickson wrote in the report. If convicted, the doctor could face up to a $500,000 fine.
Full Story

SOCIAL NETWORKING

Opinion: New Site Puts Privacy First (July 19, 2011)

A new social networking site has learned the lessons of past privacy mishaps and made privacy the "No. 1 feature of its new service," says Nick Bilton in The New York Times. Google launched its new social network Google+ last month and now has 10 million users whose posts are private by default, the report states. Breaches of user privacy on other sites have rarely led to repercussions, and users have mostly stuck with Facebook because there hasn't been a "viable alternative," Bilton writes, adding, Google seems to have learned "the importance of privacy for consumers online." (Registration may be required to access this story.)
Full Story

PRIVACY LAW

Comments Sought in Anti-Spam Regulations (July 19, 2011)

The entities that will implement Canada's Anti-Spam Legislation have each released draft regulations for comment. Industry Canada's draft regulations define what constitutes family and personal relationships--both exceptions to obtaining user consent under the proposed legislation, Hunton & Williams' Privacy and Information Security Law Blog reports, which could affect "forward to a friend" marketing campaigns. The Canadian Radio-television and Telecommunications Commission draft regulations address commercial electronic message content; request for express consent requirements for sending commercial messages, and notice and consent requirements.
Full Story

DATA PROTECTION

Outsourcers Working to Allay Fears (July 18, 2011)

With reports of large-scale data breaches attracting media attention, companies that outsource services are looking for ways to assure customers that sensitive data is being adequately protected. ComputerWeekly reports that according to PricewaterhouseCoopers (PwC), many outsourcers are using independent reports to show that they have robust protections in place, and this increased trust and transparency has become a competitive advantage. "Companies are increasingly looking for comfort that the operational activities that they have outsourced, be it transaction processing, logistics management or cloud computing, are being properly controlled," said Neil Hewitt of PwC.
Full Story

PERSONAL PRIVACY

Stoddart: Border Pact With U.S. Needs Safeguards (July 15, 2011)

Privacy Commissioner Jennifer Stoddart has voiced concerns over a pact between Canada and the U.S. that is expected to increase data sharing between the countries. The plan, aimed at improving security while easing congestion at the border, needs transparency, controls and limits, says Stoddart, adding that the two countries may differ on points such as reasonable expectations of privacy, what constitutes personal information and transferring data to third parties, reports the Winnipeg Free Press. Stoddart encouraged the government to push for a "made-in-Canada" model, saying a U.S. approach "would not only offend the value Canadians traditionally place in their privacy but may have the effect of hurting the reputation of Canada abroad as a destination of choice."

Full Story

INFORMATION ACCESS

Bernier: Privacy Shouldn’t Impede Public Safety (July 15, 2011)

Assistant Privacy Commissioner Chantal Bernier says it's up to the Canada Border Services Agency (CBSA) to decide whether to release personal information of those being investigated for war crimes, reports the Toronto Sun. The Canadian Police Association and members of parliament have called for the CBSA to name fugitives residing in Canada illegally, but CBSA officials say they won't release the names of war criminals because they are protected by privacy laws. Bernier said her office "has always been clear that privacy does not stand in the way of public safety," the report states, adding that privacy is also "not an excuse to promote secrecy."

Full Story 

INFORMATION ACCESS

Work Retiring, But Not Pulling Punches (July 15, 2011)

As Alberta Privacy Commissioner Frank Work gets ready to retire in December, he acknowledges there are "signs of promise" in terms of government openness but reminds politicians, "information does not belong to government, it belongs to the people who elected you..." Work has long criticized the Albertan government for secrecy; in this year's annual report, he called out "a lack of leadership at the provincial level with respect to access to information," and more recently, in the Edmonton Journal, he offered suggestions for transparency going forward. "Don't say it unless you mean it. Don't toy with us. Don't toss 'open,' 'accountable,' transparent' at us unless you intend to follow through."

Full Story

PRIVACY LAW

Group: Gov’t Initiatives Could Harm Canadians’ Privacy (July 15, 2011)

The Montreal Gazette reports that a group of privacy advocates is voicing concerns about the potential impact of several government initiatives. The Canadian Association of Professional Access and Privacy Administrators (CAPAPA) is taking issue with the Lawful Access Law--which would require Internet service providers to monitor online behaviour and identify individuals to law enforcement without a warrant--and the Anti-Counterfeiting Trade Agreement (ACTA)--which would require Canada to sync copyright laws with 37 other countries and punish copyright infringers by denying them Internet access for one year. Taken individually, the initiatives may seem innocuous, but "if you put it all together, it has a cumulative effect," said a CAPAPA spokeswoman.

Full Story

DATA LOSS

Even The Web-Savvy Get Breached (July 15, 2011)

Though Chester Wisniewski has 488 different passwords, he was still recently the victim of online hacking, Moneyville reports. Wisniewski, a computer security expert, was one of the victims of the Sony PlayStation breach, which affected 100 million users. Had he used that same password for other sites, such as his online banking, the repercussions would have been worse. "Unfortunately, once you have stolen someone's Facebook or e-mail account, it kind of unlocks everything in their life...it's easy to commit identity theft," Wisniewski said. Users should protect themselves by using multiple, strong passwords that change every so often and avoiding conducting private business on public computers, the report states.

Full Story

HEALTHCARE PRIVACY

Health Authority Mistakenly Shares Data (July 15, 2011)

The Cape Breton District Health Authority gave 277 patients' names, addresses and two lab results to researchers without first gaining consent, reports The Cape Breton Post. While a proper protocol was in place, doctors did not follow it. The authority's CEO, John Malcom, has called the incident a "serious error" and said the authority has written letters to all those affected and "strengthened the understanding of this in health records, so in the future, before any access is given to patient results like this, we have to see the consent of the individual." Malcom said all the data has been withdrawn from the study and returned to the authority.

Full Story

PRIVACY LAW—UK

Phone hacking scandal prompts closer look at ICO’s call for jail terms (July 15, 2011)

A renewed interest in issuing custodial sentences for those who flout data protection law has emerged in the wake of the News of the World phone hacking scandal. In a speech this week, Deputy Prime Minister Nick Clegg said those convicted of obtaining personal data by deception should be jailed, according to a BBC News report. And Prime Minister David Cameron acknowledged that 2006 reports from the Information Commissioner's Office that detailed data handling issues and recommended custodial sentences for data infractions were not given the attention they deserved. Stewart Room, a partner at Field Fisher Waterhouse in London, told the IAPP Europe Data Protection Digest that the scandal "has captured the public imagination and the Coalition Government will have to react...The introduction of jail sentences is now inevitable."
Full Story

SOCIAL NETWORKING

Privacy Approach May Determine Success (July 13, 2011)

CNNMoney reports on new competition in social networking, and the report says privacy may end up determining the leader. While Facebook holds the major market share, Google's new Google+ is being lauded by testers for its privacy controls. "Web users may benefit from a Facebook-Google rivalry, but for a different reason: The best way for these companies to differentiate their social media offerings is by preserving personal privacy," the report states.
Full Story
 

ONLINE PRIVACY

Cloud Concerns Pervasive (July 12, 2011)

Across jurisdictions, concerns about privacy in the cloud persist. "There is no global law of cyberspace or law of the Internet, although there are separate pieces of legislation relating to privacy, spam, electronic transactions, cybercrime and more," one Australian expert writes, cautioning that recent breaches are a warning to all businesses. Technorati reports that, additionally, concerns about differing regulations, such as the U.S. Patriot Act being at odds with EU data protection rules, are also problematic. "All this could lead to something as drastic as the EU banning--even if only temporarily--U.S. companies from operating cloud services within the EU," the report states.
Full Story
 

ONLINE PRIVACY

Groupon To Collect, Share More User Data (July 11, 2011)

Groupon has e-mailed its 83 million subscribers to announce changes to its privacy policy, including that it will begin collecting more information about its customers to share with its business partners, The Washington Post reports. It will also begin using geolocation information for marketing purposes. The expanded categories of information Groupon will now collect include user habits and interests, which it will share with third parties. It now shares contact, relationship, transaction and mobile location information. The company has also released details on the ways it collects and uses such information. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

It’s a Privacy Policy. It’s a Game. It’s Both! (July 8, 2011)
An online game manufacturer yesterday launched "PrivacyVille," a tutorial on its privacy policy that users play like a game. Players follow along and learn about how Zynga will protect users' personal information, reports CNET News. The company says the game is not meant as a substitute for its official privacy policy and Privacy Center but as an educational tool. Unlike Zynga's other games, PrivacyVille does not require a Zynga or Facebook account, but players earn points redeemable in some of the company's other games that do.

PRIVACY LAW

Dickson: Consequences Needed (July 8, 2011)

Saskatchewan Information and Privacy Commissioner Gary Dickson cited an incident from earlier this year where boxes of patient medical records were disposed of in a dumpster as an example of the need for stricter privacy laws, The StarPhoenix reports. Speaking after the release of his annual report on Monday, Dickson said, "We're not going to have the level of compliance and the pervasiveness of compliant practice that I think Saskatchewan residents are entitled to until there are particularly serious consequences." Investigations are often the result of careless errors or the curiosity of employees who "snoop in somebody else's health records or somebody else's personal information," he said.
Full Story

PERSONAL PRIVACY

Audit Reveals Sensitive Data on Machines (July 8, 2011)

After the Office of the Privacy Commissioner released an audit in its annual report showing that more than a third of Staples' refurbished electronic equipment still held private data, a U.S. attorney general is asking for more information on its refurbishing process. The Hartford Courant reports that personal information was found on digital devices in 15 of the 17 stores audited, including passport numbers, employment information and driver's license numbers. Connecticut Attorney General George Jepsen sent a letter to the company last week requesting more information on its practices and policies. "It is critically important that used and refurbished products are scrubbed of any personal information by previous owners," Jepsen said.
Full Story

INFORMATION ACCESS

Work’s Suggestions for a Transparent Government (July 8, 2011)

Nearing the end of his term as Alberta's privacy commissioner, Frank Work offers suggestions for incoming leadership on how to approach government transparency. "Remember, the whole idea of the Freedom of Information and Protection of Privacy Act (FOIP) is to ensure that the public has access to information held by government," Work writes for the Edmonton Journal. He goes on to say that obeying FOIP is not enough. "Tell your cabinet that you expect them to get the information out there...Instruct your ministers to deliver the same message," he writes. Work recommends a rewrite of the chief information officer's job description and additional FOIP coordinators to ensure these goals are met.
Full Story

DATA LOSS

A Property Right in Personal Information? (July 7, 2011)

Plaintiffs in data breach claims have been unsuccessful in convincing courts that they have suffered harms as a result of a breach, but "a new theory that claims a property right in personal information has recently been tried," writes Andrew Clearwater, CIPP, in an article for the current edition of the IAPP's Privacy Advisor newsletter. Clearwater says that, under this theory, a data breach causes a loss of personal information property and, therefore, a concrete or particularized harm has been realized." The approach is being tested in a case against RockYou Inc.
Full Story
 

BIOMETRICS—CANADA

Opinion: Don’t Trade Privacy for Quick IDs (July 5, 2011)

An editorial in the Victoria Times Colonist opines that while the desire to catch Vancouver rioters is understandable, Insurance Corp. of British Columbia (ICBC) sharing its database of images with police raises significant privacy issues. "None of the three million people in the ICBC database gave their consent for their images to be used in this way," the report states. And British Colombia Privacy Commissioner Elizabeth Denham has said that though the sharing is legal, she has concerns about using the photos for a purpose other than that for which they were collected. "Technology has outstripped our privacy regulations and laws. Until we catch up, ICBC and other organizations should be putting privacy first," the author writes.
Full Story

DATA LOSS

$40 Million Class-Action Suit Sought in Durham (July 1, 2011)

SC Magazine reports on a $40 million class-action suit that has been filed against the Durham Region over the loss of an unencrypted USB flash drive. The drive contained personal information of nearly 84,000 people who had been vaccinated against the H1N1 flu virus during a two-month span in 2009. The suit claims that the region was negligent, breached its fiduciary duty and violated patients' privacy and the Canadian Charter of Rights and Freedoms, according to the report. The drive--which contained names, addresses, phone numbers, birth dates, health card numbers, primary care physician names and other personal health information--was lost in the parking lot of the regional headquarters by a public health worker.

Full Story

PRIVACY LAW

Concern About Proposed ISP Legislation (July 1, 2011)

Canada's privacy commissioner and several civil rights groups have expressed concern about proposed legislation that would require Internet service providers to use communication-interception technology as well as share subscriber information to law enforcement without a warrant, the Montreal Gazette reports. Entitled "Lawful Access," it may be included in an omnibus bill proposed by the Conservatives to be tough on crime. The assistant privacy commissioner says, "Our concern is that we have not yet seen a demonstrable need for the extent of access to personal information by law enforcement and national security authorities...We believe any measure that seeks to put more personal information in the hands of government in general must be justified."

Full Story

HEALTHCARE PRIVACY

Investigation Explores Medical Record Payment Requirements (July 1, 2011)

The Globe and Mail reports on the reason patients must pay for the transfer of their own medical records. According to the report, one healthcare provider attempted to charge $2,532 for a copy of medical records. "We've had many complaints of this nature where we've reduced the fee significantly," says Ontario Information and Privacy Commissioner Ann Cavoukian. As part of its annual report, her office set a benchmark to limit fees. Defending the practice of charging medical fees, one doctor says, "We're not asking for patients to pay for the information that's in the file...We're asking them to pay for the clerical time and the effort of putting the copy together." 

Full Story

PERSONAL PRIVACY

Opinion: Smart Grid Must Ensure Privacy from Start (July 1, 2011)

In an editorial for the Times Colonist, BC Privacy Commissioner Elizabeth Denham writes about her office's collaboration with BC Hydro as it implements the smart grid, which will digitize home energy use. "With an increase in the granularity of information comes an increased potential for abuse," Denham writes, adding that key smart grid privacy and security issues include making sure that information is protected as it moves along the grid; privacy is built in at the earliest stage; customers have access to their own--but no one else's--household energy data, and customer energy information is used only for the purposes it was collected.

Full Story

PERSONAL PRIVACY

More Citizens Need “Privacy Literacy” (July 1, 2011)

In this digital age, two of Canada's privacy watchdogs do not think individuals should have to sacrifice their privacy in order to reap the benefits of digital innovation, the Toronto Star reports. Ontario's information and privacy commissioner has reported that many mobile phones "can reveal damaging and perhaps embarrassing information, or lead to discrimination." Canada's privacy commissioner notes that four out of five Canadians use the Internet daily, but "many people don't know they're leaving a trail of digital bread crumbs when they click their way through websites. They don't know that those crumbs are stored, analyzed and accessible."

Full Story

DATA PROTECTION

Commissioner Discusses Privacy By Design (July 1, 2011)

In a podcast for GovInfoSecurity, Ontario Information and Privacy Commissioner Ann Cavoukian discusses Privacy By Design and a new concept, privacy by redesign. Saying that organizations are often their own biggest obstacle, she adds, "You have to weave privacy throughout the entire organization in order for it to work effectively." In the interview, Cavoukian discusses the fundamental components of Privacy By Design, the goals of privacy by redesign and improvements organizations can make to improve their privacy initiatives.

Full Story

FINANCIAL PRIVACY

Study: Hackers Outpacing Bank Security (June 30, 2011)

Evidence in a recent study suggests that large credit card-issuing banks are not keeping up with the technological sophistication of hackers, TIME reports. One research firm analyzed and graded the online security practices of the financial sector's 23 largest card-issuing institutions. Based on a 100-point scale, the average score was a 59. "The good news is issuers are doing a better job overall of resolution, but that's the easiest thing to do," says the study's lead author. "Prevention is the hardest to do, but it's got the biggest payback." The study also noted that banks have a strong record of eliminating fraudulent charges from individuals' bank accounts.
Full Story

SOCIAL NETWORKING

Privacy Emphasized in New Google Network (June 29, 2011)

Google has introduced a new social networking service that will allow users to communicate status updates, photos and links, The New York Times reports. The Google+ project will initially be available to a "select group" of Google users, according to the article, who will then be able to extend the network by inviting friends and groups into the network. Though many of the features will be similar to Facebook, Google's site is engineered to allow small groups to share information without sharing updates with all of an individual's friends. "In real life, we have walls and windows, and I can speak to you knowing who's in the room," says a Google representative, "but in the online world, you get to a 'Share' box and you share with the whole world...We have a different model." (Registration may be required to access this story.)
Full Story

STUDENT PRIVACY—CANADA

District: No Posting School Pics Online (June 27, 2011)

The Winnipeg School Division has adopted a new policy aimed at protecting children. The policy forbids posting photos or video of public school events to the Internet, reports the Edmonton Journal. Kristine Barr, chairwoman of the division's policy/program committee, said that parents can photograph events for personal use, but any photos or video that include children other than their own may not be posted online. Principals will be responsible for notifying people of the rule and asking them to remove disallowed content from the Internet. Barr says she recognizes this will be "difficult to enforce" but that the division hopes parents, staff and others will comply. 
Full Story

DATA LOSS

Critics: Breach Response Has Been Lackluster (June 27, 2011)

The Globe and Mail reports that Citigroup's handling of its recent data breach is drawing criticism. Following a hack by cybercriminals that exposed more than 360,000 credit card accounts, Citigroup did not offer to buy those affected one year of preventative credit monitoring services, as has become typical for companies after a breach occurs. The deputy director of national priorities for Consumer Action said that consumers "might want to turn to Citibank and ask them to do more." Marc Rotenberg of the Electronic Privacy Information Center said, "Citigroup needs to take this recent breach more seriously than they have." Meanwhile, Citigroup has disclosed that about 3,400 of those affected have lost about $2.7 million.
Full Story

DATA LOSS

More Companies Train and Prepare for Breaches (June 27, 2011)

Business Insurance reports on the growing concern businesses have in the face of increased hacker attacks and cybersecurity risks. The report notes that breach preparation will place a business in a better position to appropriately respond to an event and, subsequently, improve its ability to receive cyber risk coverage from insurers. Vinny Sakore, CIPP/IT, of Immersion Ltd. says, "With data breaches, experience is critical," adding that it's important for consultants to improve client awareness of data breach issues. Rick Prendergast at Kroll Fraud Solutions says that breach costs have risen 22 percent since 2009, prompting more companies to take breaches more seriously and "to certify that breach training has taken place across the enterprise."
Full Story

HEALTHCARE PRIVACY

Medical Identity Theft on the Rise (June 27, 2011)

Chronicling the story of a man who's roommate stole his medical identity, NPR's "Marketplace" explores the rise in medical identity theft and the affect it has on victims. A recent Ponemon Institute study found that victims of medical identity theft spend, on average, $20,000 in lost time, increased insurance premiums and legal fees, and the report points out that "Once another patient masquerades as you, your medical records are inaccurate, and that can jeopardize your future treatment." Electronic medical records should make tracking thieves easier, the report states, but Pam Dixon of the World Privacy Forum says hurdles remain.
Full Story

PERSONAL PRIVACY

Companies Help Individuals Control Personal Data (June 27, 2011)

In light of the vast amount of information that is collected online, companies are emerging with an alternative business model that allows consumers to control their personal data, The Mercury News reports. Instead of cookies that track consumers online, some companies are attempting to create a new model where individuals could access and track their personal information and refute false personal information that might exist on the Web. Additionally, Google has launched "Me on the Web" to help individuals monitor their personal data. One startup's CEO says, "We felt like there was a huge opportunity to turn the consumer model upside-down--to help people manage, create and grant access to the best data about themselves."
Full Story

DATA LOSS

External NATO Website Breached (June 24, 2011)

The North Atlantic Treaty Organization (NATO) has released a statement announcing that a NATO-related website, operated by a third party, has been compromised, TIME reports. In addition to blocking access to the site and providing customer notification, the statement noted that "NATO's e-Bookshop is a separate service for the public for the release of NATO information and does not contain any classified data." NATO also announced, according to the report, that is has created a "cyber defense action plan" that will deal with growing cybersecurity threats.
Full Story

ONLINE PRIVACY

Opinion: Biggest Problem is Policies (June 24, 2011)

In an op-ed for ITWorld, Dan Tynan writes that while online privacy is based on a clear concept--people should have control over their personal information--the average privacy policy is not. "If you want people to understand privacy--and maybe not be either so blasé or so paranoid about how their data is being used--we need privacy policies that human beings can understand," he writes. Using real-life examples of how confusing policies can be, Tynan outlines his suggestion for a pop-up box with four bullet points outlining simple facts about websites' collection and use practices and ways to opt out.
Full Story

FINANCIAL PRIVACY

Commissioner Monitoring U.S. Tax Law (June 24, 2011)

Privacy Commissioner Jennifer Stoddart is "closely monitoring" a U.S. law that is slated to pursue tax evaders living abroad, The Globe and Mail reports. U.S. tax authorities plan to require foreign financial institutions to disclose the amount of money held by American accountholders. A spokeswoman for Stoddart said, "The concern is the collection of customers' personal information and the transfer to the U.S." The U.S. law, which will go into effect in 2013, would pressure Canadian banks, brokers, insurers and mutual funds to collect U.S. Social Security numbers and account balances and share them with the Internal Revenue Service. According to the report, Finance Minister Jim Flaherty is seeking an exemption, saying that Canada is not a "tax haven."
Full Story

BIOMETRICS

Denham To Audit Facial Recognition Use (June 24, 2011)

British Columbia Privacy Commissioner Elizabeth Denham has said she will monitor the use of Insurance Corp. of British Columbia (ICBC) footage to identify post-Stanley Cup rioters in police investigations. The Province reports that under the Freedom of Information and Protection of Privacy Act, ICBC is permitted to hand over information to police with a court order, but Denham said she will "ensure that imagery that is identified for this investigation will not be used for further investigations of the police." An ICBC spokesman noted that the police will not have access to the image database but will provide an image and a court order, and ICBC will look for a match.
Full Story

PRIVACY LAW

Supreme Court To Hear Jury Vetting Cases (June 24, 2011)

The Globe and Mail reports that the Supreme Court of Canada has agreed to hear appeals from four men who claim their trials were tainted by jury vetting. Three of the men were convicted of murder in 2005 and one of fraud in 2008. The Ontario Court of Appeals dismissed earlier appeals by the four men claiming that police and prosecutors conducted secret background checks on jurors, affecting their trials. The cases prompted an investigation by Ontario Privacy Commissioner Ann Cavoukian, who determined the background checks had violated privacy legislation and ordered an end to the practice.
Full Story

PRIVACY LAW

Work Requests Leave for Supreme Court Appeal (June 24, 2011)

Alberta Information and Privacy Commissioner Frank Work is asking for a leave from his position in order to contest an Alberta Court of Appeals decision to the Supreme Court of Canada. The decision declared that "an organization's methods of collecting personal information must only be reasonable and need not be the least-intrusive method," reports Canadian Technology & IP Law. Work argues the decision gives organizations a way around PIPA and sets a "dangerous precedent" that will compromise privacy rights.
Full Story

PRIVACY LAW

Petition Launched to Oppose Bills (June 24, 2011)

More than 30 organizations, businesses and academics are opposing a trio of bills expected to be introduced later this year. Straight.com reports that OpenMedia.ca has launched an online petition against bills C-50, C-51 and C-52, which are expected to be included in omnibus crime legislation in September, the report states. OpenMedia.ca says the bills would allow for warrantless information gathering and increased surveillance by law enforcement authorities. "Every provincial privacy commissioner...has spoken out against this," said OpenMedia.ca Communications Manager Lindsey Pinto, who added, "This could set a very negative precedent for surveillance in Canada."
Full Story

PRIVACY

Awards To Fund Privacy Research (June 24, 2011)

Privacy Commissioner Jennifer Stoddart has announced the recipients of the 2011-2012 Contributions Programs, which will provide $350,000 for privacy research and public education initiatives. Recipients will use the funds to advance privacy research. Initiatives include the creation of  a cross-media game to teach children about privacy; an interactive educational package about protecting personal privacy for teachers to use, and a study focusing on the interaction between private-sector data gatherers and law enforcement authorities. Stoddart said funding privacy research and outreach "generates new ideas, approaches and information, which Canadians can use to make smart decisions about protecting their personal information."
Full Story

ONLINE PRIVACY

Experts: The Internet Never Forgets (June 24, 2011)

Amidst fallout from post-Stanley Cup riots in Vancouver, the Ottawa Citizen talks to Internet experts about the potential damage online images can do to a person's reputation. Once information is on the Internet, some experts say, it's there for good. But people can manage their online reputation by posting positive information about themselves or hiring companies with "reputation advisors" to shape their online personas. Google recently launched a tool that alerts people when information has been posted about them online and suggests how to remove unwanted postings. However, a London technology analyst notes, "the Internet does not have a delete button."
Full Story

DATA LOSS

Study: Breaches More Frequent and Severe (June 23, 2011)

A Ponemon Institute study has found that 90 percent of businesses experienced a data breach in the past year, and attacks were more severe and difficult to prevent. Network World reports that mobile devices--employee laptops, smartphones and tablets--are responsible for most breaches, while business partnerships also elevate risk. Fifty-three percent of businesses reported a low level of confidence in their ability to avoid future attacks, which the authors attribute to "the fact that so many organizations are having multiple breaches." An MSNBC report outlines ways for individuals to protect themselves in light of the recent "seemingly endless string" of data breaches, and according to the report, most aren't made public. Meanwhile, CIO has posted an online quiz to test readers' knowledge of data breaches.
Full Story

ONLINE PRIVACY

Browser Updates Do-Not-Track Option (June 23, 2011)

Mozilla has made its new do-not-track option easier to find and set in its latest Web browser update, ZDNet reports. Firefox 5 is the first in the company's accelerated release cycle--a plan to release browser updates every three months. The latest update also includes a do-not-track mechanism for the Android version of the browser. Mozilla's do-not-track feature relays header information to advertising companies, which then have the option to honor the request to avoid data collection. Microsoft's Internet Explorer 9 also features a do-not-track mechanism, but unlike Firefox, the report states, it uses a "tracking protection list--essentially a block list to decide which third-party elements of a Web page to block or allow."
Full Story

ONLINE PRIVACY—CANADA

Commissioner: Dating Sites Must Improve Privacy (June 22, 2011)
Internet dating site eHarmony says it is in the process of providing users with options to permanently delete their online accounts after an investigation by Canada's privacy commissioner, the Toronto Star reports. The investigation followed a complaint from an eHarmony customer who said the dating site told her that her account and personal information could not be permanently deleted, despite her requests. Stoddart's investigation, included in her annual report tabled yesterday in parliament, also found that "a quick scan of other sites reveals that some do not even have the privacy policies. Some that have privacy policies do not specify how they handle personal information after a user is no longer active on the site." Canadian privacy attorney and IAPP Canada Managing Director Kris Klein, CIPP/C, told the Daily Dashboard that Stoddart's eHarmony investigation is interesting because "Facebook was in trouble for a very similar thing. It was very public, what Facebook had to do to change itself and comply, yet eHarmony didn't until now." Klein added he will be "curious to see how many more people have to get in trouble before companies just proactively do the right thing."

SURVEILLANCE—CANADA

OPC Bringing Airport Authority Case to Court (June 22, 2011)

Privacy Commissioner Jennifer Stoddart is calling for a court decision after a Greater Toronto Airports Authority (GTAA) employee used surveillance equipment to track her ex-husband through the airport, the Toronto Star reports. Stoddart detailed the unresolved complaint in her report to parliament, noting the GTAA did not respond to a request for information in the 30 days required and "held more personal information about the complainant than it had provided in its belated response to the complainant's access request." Stoddart is asking the court to find the GTAA "failed to meet its obligations under PIPEDA," require implementation of the commissioner's recommendations and award damages to the complainant.
Full Story

PRIVACY LAW—CANADA

Annual Report Issued: Company’s Improvements Insufficient (June 21, 2011)

An audit by the privacy commissioner of Canada has found that Staples Business Depot stores failed to wipe clean the hard drives of devices intended for resale, despite commitments to address such problems. Included in a report to parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA), which was tabled today and includes information on other ongoing investigations, Commissioner Jennifer Stoddart's audit found that the office supply store "did improve procedures and control mechanisms after our investigations," but they were "not consistently applied nor were they always effective, leaving customers' personal information at serious risk." The company had said it would take corrective action following two complaints to the commissioner. The audit found that of 149 data storage devices, one-third still contained customer data.
Full Story

DATA LOSS

Online Network Hacked, 1.3 Million Affected (June 21, 2011)

A recent rash of cyberattacks continues, this time affecting 1.3 million members of Sega's online video game network, Sega Pass. Reuters reports that names, birth dates, e-mail addresses and encrypted passwords of users were stolen from the database. Sega Europe discovered the breach on Thursday and notified network users and Sega Corp, which then shut down the site. A company spokeswoman apologized for the breach, saying that Sega is working on improving security measures. A hacker group responsible for attacks on other video game sites has offered to track down these hackers, according to the report.
Full Story

PRIVACY LAW

Bill Could Affect ISPs and Law Enforcement (June 17, 2011)

The Globe and Mail reports on planned legislation that would make it mandatory for ISPs and search engines to log and retain communications at the request of law enforcement entities. Under the proposed legislation, authorities would not need a warrant. The Investigative Powers for the 21st Century Act, Bill C-51, was originally introduced during the last parliament and will be reintroduced as part of a "super crime bill," the report states, adding, "The big six ISPs that dominate Internet access in Canada...have been relatively quiet about their views on the subject."
Full Story

PERSONAL PRIVACY

Board Violates Privacy Rules (June 17, 2011)

Alberta's privacy commissioner has ruled that the Workers' Compensation Board (WCB) contravened privacy rules by disclosing the personal information of a worker to a doctor, CBC reports. Gail Cumming, a privacy consultant, says that WCB staff needs better training. She added, "So I have circumstances where they've violated the Freedom of Information and Protection of Privacy Act (FOIP), I've brought it to their attention; they've indicated it's a 'whoops.' And only the WCB is allowed to have a 'whoops' when it comes to FOIP."
Full Story

DATA PROTECTION

Report: Don’t Stop Anonymizing (June 17, 2011)

In the wake of high-profile cases raising questions about how effective the process of anonymizing customer data is, a report from Ontario Information and Privacy Commissioner Ann Cavoukian and the University of Ottawa's Khaled El Emam has found that "de-identification is an important means to safeguard privacy," ReadWriteWeb reports. "Not only does de-identification protect individual privacy, it also enables the valuable use of information for authorized secondary purposes, such as health research, which benefits not only individuals but society as a whole," Cavoukian said. The study found that while 100-percent anonymization could not be guaranteed, re-identification is not easily accomplished. Editor's note: IAPP members, watch for more about Khaled El Emam's work on de-identification in the next edition of The Privacy Advisor, which comes out on June 28.
Full Story

DATA PROTECTION

Survey: Canadian Businesses Not Concerned About Potential Breaches (June 17, 2011)

Research company Ipsos Reid's recent survey of 1,011 companies showed that 47 percent said they are not worried about the repercussions of losing sensitive data, Canada.com reports. Thirty-eight percent said they did not have a protocol for storage and disposal of sensitive information, the report states, and 28 percent said they weren't aware of their legal obligations when it came to data protection. "Most people have the opinion that it will never happen to me," said one chief security officer.
Full Story

GEO PRIVACY

Opinion: Advances in Vehicle Technology Create Risks (June 17, 2011)

In an opinion piece for the Toronto Star, President of the Toronto Automobile Dealers Association Sandy Liguori writes that as vehicles' computer systems become increasingly sophisticated, potential threats are "waiting to be exploited" and calls for a more aggressive stance from governments, companies and law enforcement. Meanwhile, Nissan is looking into a blogger's claims that the navigation systems in its Leaf vehicles send drivers' location data to third parties. A SeattleWireless.net blog post claims that the information is transmitted via Nissan's subscription-based Carwings system when a driver updates his RSS feeds. (Registration may be required to access this story.)
Full Story

DATA PROTECTION

Council Releases PCI Standards Guiding Document (June 16, 2011)

The Payment Card Industry Security Standards Council has released a set of guidelines for companies to ensure compliance with industry standards, Computerworld reports. The 39-page document describes how each of the 12 PCI security requirements can be applied in a virtual environment, the report states, and offers recommendations on how to stay compliant in the cloud, delineating between entities' and cloud vendors' responsibilities. "Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider," the document states. The guidance is the "best document that the PCI Security Standards Council has written to date," an independent PCI consultant said.
Full Story

SOCIAL NETWORKING

LinkedIn Privacy Changes Point To Social Ads (June 15, 2011)

MediaPost News reports on LinkedIn privacy policy updates as hinting at the introduction of "social ads" based on users' activities. LinkedIn "appears eager" to avoid privacy issues, the report states, and will allow users to opt out of social ads. "Most importantly, we do not provide your name or image back to any advertiser when that ad is served," one LinkedIn official noted, while another said, "This upcoming change to the privacy policy reflects the evolving ways in which our members are using the LinkedIn platform, and it allows us to explore this area should we choose."
Full Story

DATA PROTECTION—CANADA

Commissioner Calls for a Change in Thinking (June 15, 2011)

Ontario's privacy commissioner has released a white paper on how organizations can build privacy into legacy systems, reducing data loss risks, SC Magazine reports. Replacing systems that have already been built without privacy considerations is often not an option, Commissioner Ann Cavoukian said at a Toronto event this week. Instead, organizations should create technologies that incorporate privacy as a default by limiting the amount of personal information collected, reducing the amount of time that it's stored and encrypting retained data, among other initiatives. Cavoukian also shared concerns about WiFi systems' ability to report users' location data.
Full Story

PRIVACY

“Cyberinsurance” in High Demand (June 15, 2011)

The "cyberinsurance" industry is experiencing an up-tick in business with recent high-profile breaches driving companies' desire to protect themselves from spending potentially millions of dollars on breach-related costs. Companies are upgrading IT and human resources practices and training employees in order to get coverage--in some cases worth hundreds of millions of dollars. "Concensus is building" on what policies cover, but standardization remains a hurdle, says one insurance expert who predicts, "One day the industry will actually be so robust that...we'll have the leverage to actually create standards." A Ponemon Institute study shows the average breach cost $7.2 million last year, "But with the scale and scope of hacking attacks growing daily, some companies cannot be cautious enough," the report states.
Full Story

PRIVACY

Experts Discuss the State of Privacy (June 14, 2011)

In his blog, "my heart's in accra," Harvard's Ethan Zuckerman writes about the Hyper-public conference in Cambridge, MA, last week, where privacy experts discussed the state of privacy worldwide. Berkman Center Director Urs Gasser described a Swiss Court's privacy ruling putting restrictions on Google's Street View mapping feature in public spaces and forbidding it in private spheres, indicating the "complexity of delineating between public and private" and pointing to the need for a "nuanced definition of privacy." John Palfrey of Harvard Law School suggested young people have not given up on privacy but don't yet know how to "navigate these new spaces," while conference organizer Judith Donath discussed societies' evolving norms around privacy.
Full Story

PRIVACY

Commissioners Honored (June 10, 2011)

Canadian Privacy Commissioner Jennifer Stoddart and Ontario Information and Privacy Commissioner Ann Cavoukian both received awards this week honoring their work in the privacy field. Cavoukian received the 2011 Kristian Beckman Award from the International Federation for Information Processing, which is given annually to an individual who has "significantly contributed to the development of information security, especially achievements with an international perspective." The Montreal Gazette reports on Stoddart's selection as a recipient of the Barreau du Québec's Mérite Christine-Tourigny "for her remarkable work in the protection of personal information and because of the significant impact of her professional actions on the evolution of law in that area."
Full Story
 

PERSONAL PRIVACY

Artificial Intelligence Prompts Privacy Concerns (June 10, 2011)

The Globe and Mail reports on the growing use of artificial intelligence (AI) by businesses to mine and consolidate customer data. AI can collect and store information about individuals, including their payment habits and location information, allowing companies "to track our habits." According to the article, "some advocates argue that privacy issues should be a public concern and that action is required to safeguard information," while a computer science expert said, "We have to get over, at some point, the idea that we have privacy. We don't...We have to redefine what privacy means."
Full Story

DATA LOSS

Bank Misplaces Personal Information (June 10, 2011)

Three CD-ROMs that listed the names, addresses, account numbers and social insurance numbers of Scotiabank customers have gone missing, the Toronto Star reports. Describing the incident as an "extremely rare occurrence," the bank said the parcel containing the information "has gone missing while in internal mail between two" departments. Scotiabank has notified its customers, but, according to the article, it has not been determined how many customers were affected.
Full Story

PERSONAL PRIVACY

Debate Surrounds Offender Website (June 10, 2011)

Legislators in Ontario have proposed publishing the province's sex offender registry--which includes approximately 14,100 individuals--on a publicly accessible website, The Canadian Press reports. Proponents think it is "an essential tool that would better protect children from predators," but critics have expressed concern that it could cause "vigilante action." Information and Privacy Commissioner Ann Cavoukian questions what could be gained and what could result from the website. She notes that police already track registered sex offenders and can disclose information to the public if there is a potential threat. "It might also lull the public into a false sense of security," she said.
Full Story

DATA LOSS

Conservative Party Donor Info Hacked (June 10, 2011)

Hackers that broke into the Conservative Party's website claim to have accessed the personal information of individuals who donated to the party through the site, reports the Toronto Star. The data includes names, addresses, e-mail addresses and, in some cases, partial payment card numbers. A Twitter post by a user claiming responsibility for the hack linked to a webpage listing 1,719 individuals' data and an offer to download thousands more, the report states. A Conservative Party spokesman said that while much of the information stolen is publicly available, it will contact all those affected and continue to investigate "as well as work with authorities on this matter."
Full Story

DATA THEFT

Expert: Gov’t Must Improve Cybersecurity (June 10, 2011)

With the rise of high-profile data breaches spawned by hacker groups, one expert thinks the federal government needs to strengthen its cybersecurity strategy, The Vancouver Sun reports. Calling it "BreachFest 2011," the expert said, "it's now become apparent that the ecosystem that we communicate in has some serious problems globally." He also discusses a recent report that attacks originating from Chinese servers may have accessed classified information from the Treasury Board, Department of Finance and Department of National Defense. He argues that the federal government should give existing authorities more resources, not more powers.
Full Story

ONLINE PRIVACY

Opinion: On Clouds and Crime Laws (June 10, 2011)

Two perspective pieces in The Vancouver Sun touch on recent developments that have implications for privacy and data protection. Bill Keay follows up on Apple's move to the iCloud. For consumers, "stepping into the cloud requires a leap of faith," Keay writes, adding that cloud servers are "a rich target for hackers." In another commentary, Ian Mulgrew discusses the impact on privacy and civil liberties of the Conservative government's "tough-on-crime" legislation, saying, "Neither the government, RCMP nor the national security agencies has provided evidence we need to allow this incredible intrusion."
Full Story

SOCIAL NETWORKING

Increased Lawsuits from Workplace Use (June 10, 2011)

Lawsuits and labour disputes stemming from the use of social media in the workplace are on the rise, The Vancouver Sun reports. According to polls cited in the article, nearly 75 percent of Canadian employees use social networking sites at work, and 45 percent of managers use them to vet potential candidates. One lawyer said that companies should establish an "appropriate-use policy" that sets clear parameters for employees. He added, "There's no 'cookie-cutter, one-size-fits-all' policy...You have to think of the nature of your business, the culture of your organization and the resources at your disposal."
Full Story

SOCIAL NETWORKING

Regulators: Facial Recognition Concerns Abound (June 10, 2011)

Privacy concerns continue to surface in the wake of the announcement of Facebook's new facial recognition feature, with regulators being called upon to investigate. The Electronic Privacy Information Center (EPIC) is organizing an effort in the U.S. to file a complaint with the Federal Trade Commission, Financial Times reports, while in Europe, the Article 29 Working Party, Irish DPA, UK Information Commissioner's Office and German DPA are among those raising concerns. "Again Facebook has changed its Privacy Declaration without the users' consent," said German Data Protection Commissioner Peter Schaar, adding, "I do not think that Facebook's action conforms to European and German data protection law."
Full Story

BEHAVIORAL TARGETING

IPv6 Rollout Could Necessitate Privacy Rethink (June 9, 2011)

Yesterday, hundreds of companies began testing the next-generation Internet address protocol--Ipv6. The new standard will replace IPv4, which is running out of unique IP addresses for the world's many devices, Computerworld reports. IPv6 will "have the ability to profile Internet behavior to more accurately target online ads," writes Laurie Sullivan for MediaPost. And although it is too soon to tell, "IPv6 could likely require companies to go back to the drawing board and renegotiate privacy laws with the SEC because of the ability to identify more granular data collected through ad targeting," she adds.
Full Story

ONLINE PRIVACY

Investigation Finds Apps Put Data at Risk (June 9, 2011)

A computer security firm has found that some popular mobile applications store users' personal data in plain text on their mobile devices, reports The Wall Street Journal. The viaForensics investigation found information such as unencrypted user names, passwords and transaction amounts on smartphones, which goes against industry best practices. "Data should not be stored on a phone," said Andrew Hoog, chief investigative officer of viaForensics. Hoog also said that while app developers are becoming more aware of data security issues, the fact that vulnerabilities still exist indicates security is not a top priority. One app maker's spokeswoman said that it's necessary for some information to be stored on phones, and the practice is allowed by the PCI Security Standards Council. (Registration may be required to access this story.)
Full Story

DATA LOSS

Opinion: Management Lessons from Breaches (June 8, 2011)

The Financial Times reports on lessons that should be gleaned from data breaches that have affected several large companies. Saying that recent high-profile data breaches were "more a failure in management than a failure in security," the column notes that chief executives should place data governance on par with processes such as financial reporting and brand management. A major breach of privacy can have an effect on a company similar to a product recall or defect. "Managing consumers' data and privacy is an executive matter of the highest priority," the column states, adding that security efforts like encryption and firewalls are "only part of the challenge."  (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Opinion: A Tale of Two Ideologies (June 8, 2011)

In a feature for The Atlantic Monthly, John Hendel explores the push-and-pull between calls for a "right to be forgotten" online and support for an open Internet in suggesting the world's "two biggest transnational institutions may soon fall into a complex, ideological struggle over people's rights to digital expression." One United Nations official suggests the removal of data, as sought in the right to be forgotten being advocated in the EU, would violate free expression. Hendel questions, "Could Europe's right to be forgotten evolve into a direct violation of the UN's newly entrenched principles and commitment to Internet liberty?" And his conclusion is, "Expect the battles to only be beginning."
Full Story

DATA PROTECTION—CANADA

Commissioner Gives Google Good Grades (June 7, 2011)
Canadian Privacy Commissioner Jennifer Stoddard has announced that Google has taken satisfactory steps towards protecting personal data, ITWorld reports. Google has agreed to implement five recommendations from the commissioner, including increased privacy and security training to all of its employees and the creation of a "governance model" that reviews the privacy protections within its products prior to launch. The company has also agreed to undergo an independent, third-party audit of its privacy programs within the next year and disclose the results to the commissioner's office. Stoddart added, "given the significance of the problems we found during our (Street View) investigation, we will continue to monitor how Google implements our recommendations."

PRIVACY LAW—CANADA

Commissioner Seeks Appeal to Court Decision (June 6, 2011)

Alberta Information and Privacy Commissioner Frank Work says an Alberta Court of Appeal decision sets a "dangerous precedent" that will compromise privacy rights, The Montreal Gazette reports. The case originated when furniture retailer Leon's required a customer to provide her driver's license number and license plate number in order to pick up an item she'd purchased and put on hold there. The woman reported the incident to Work's office, and an adjudicator ruled against Leon's, requiring it to cease the practice and destroy similar data it had already collected. The company appealed twice and won in a March decision. Work has requested an appeal to the Supreme Court.
Full Story

DATA LOSS

Hacker Groups Breach Websites (June 6, 2011)

Nintendo announced that one of its affiliate servers in the U.S. was illegally accessed "a few weeks ago," The New York Times reports. The company said the server did not contain consumer information, and "the server issue was resolved some time ago." The hacker group LulzSec claimed responsibility for the incident and a breach of an FBI partner organization called InfraGuard--a group dedicated to disclosing information about physical and cyber threats to the U.S. infrastructure. Meanwhile, hackers breached a European server belonging to the computer manufacturing company Acer last weekend. The incident may have compromised the data of approximately 40,000 customers. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Study: Teens and Adults Have Common Practices (June 3, 2011)

A study comparing the behavior of adults aged 19 to 71 and adolescents aged nine to 18 revealed that time spent on Facebook is the determining factor in how much people post to the site, reports The Vancouver Sun. Adolescent respondents shared more but also spent, on average, 55 minutes per day on Facebook, while the adults spent 38 minutes. The survey also revealed older users were less "mindful of the potential consequences of online sharing" but used privacy settings more. "Our research shows that people simultaneously care about their privacy and share a lot on Facebook...The take home is that there needs to be more education about privacy on Facebook," said the study's co-author, Amy Muise.
Full Story

PERSONAL PRIVACY

Opinion: Put Smart Meters On Hold (June 3, 2011)

The public needs to see exactly what information smart meters will be able to collect, now and in the future, opines Charles Buettner in The Vancouver Sun. Noting a Cambridge University study that reported on the Danish government's recent moratorium on smart meters due to privacy concerns, Buettner says questions over smart meter data persist in Canada as well. BC's privacy commissioner is working with public utility BC Hydro to vet concerns, but, Beuttner asks, what will happen if the company ever turns private? "We need the BC government to relent from the smart meter program until the public, those paying for the plan, can review and advise on it."
Full Story

  PRIVACY LAW

Leaked Cable Suggests Privacy Workaround (June 3, 2011)

A University of Ottawa professor says government officials may have broken Canadian privacy law in allegedly helping the U.S. government skirt restrictions on obtaining information about a potential Canadian citizen, reports APTN National News. A U.S. State Department cable obtained by news agencies reveals that, in responding to a U.S. request, justice and foreign affairs officials suggested the U.S. State Department request the information "through Canadian law enforcement channels under the terms of the mutual legal assistance treaty." Professor Amir Attaran said, "Whoever gave this advice...should be severely reprimanded and probably fired" for "conspiring with a foreign government to violate Canada's laws as a Canadian public servant."
Full Story

DATA LOSS

Hackers Claim Responsibility for Breach (June 3, 2011)

The New York Times reports on a hacker group that has claimed it breached SonyPictures.com, accessing the personal information of approximately one million customers. The group, calling itself LulzSec, claimed the website was unencrypted and contained e-mail addresses, birth dates, addresses and passwords. In a statement released on Thursday, the group said it has accessed several databases and used SQL injection to infiltrate SonyPictures.com. A Sony spokesman said the company is "looking into these claims." The news of the breach comes on the same day that Sony representatives appeared before a U.S. House of Representatives subcommittee hearing on data security. (Registration may be required to access this story.)
Full Story

PRIVACY

Opinion: “Nothing To Hide” Argument Flawed (June 2, 2011)

The argument that "Only if you're doing something wrong should you worry, and then you don't deserve to keep it private," stems from faulty assumptions about privacy and its value, writes Daniel Solove in The Chronicle of Higher Education. Privacy can't be reduced to one simple idea, and people, courts and legislators often have trouble acknowledging certain privacy problems because they don't fit into a "one-size-fits-all conception of privacy," Solove writes. The "nothing to hide" argument assumes that privacy is about hiding bad things, without taking into consideration the freedoms privacy infringements erode, such as free speech and association. "In the end, the nothing to hide argument...has nothing to say," Solove says.
Full Story

DATA LOSS—CANADA

Company Faces Lawsuit After Breach (June 1, 2011)

In response to a data breach affecting Honda Canada, a class-action lawsuit has been filed seeking $200 million in damages, reports threatpost. Filed in Ontario, Canada, the suit claims the company exercised "poor security" and failed to notify customers in a timely manner. Honda Canada has apologized for the breach and has defended its notification actions, claiming that it needed to investigate the breadth of the breach and determine what information was compromised. (Editor's note: The IAPP will host a Web conference on June 23 from 1 - 2:30 p.m. on privacy-related class-action lawsuits and a recent and potentially instructive Supreme Court decision in this area. Watch for more details soon.)
Full Story

ONLINE PRIVACY

Schmidt: Google Now More Cautious on Privacy (June 1, 2011)

Intensifying scrutiny by public- and private-sector watchdogs has Google taking a more guarded approach toward privacy, CNN reports. "We're so sensitive on the privacy issue now," Google Executive Chairman Eric Schmidt said yesterday at an event in California, where he also shed light on the company's privacy processes. "Historically, we would just throw stuff over the wall," he said. "We now have a very, very thorough process." Google lawyers and policy experts now collaborate with development teams during product creation. Schmidt's comments follow the recent announcement that the company is withholding its rollout of a facial-recognition app due to the potential privacy ramifications.
Full Story

DATA LOSS

Automaker Notifies 280,000 of Breach (May 27, 2011)

In February, Honda Canada discovered that hackers had accessed a Web server that held company-created MyHonda and MyAcura websites for 280,000 of its customers. The sites were part of a 2009 mail campaign and were prepopulated with customer data including names, addresses and vehicle identification numbers, reports Computerworld. Upon discovering the breach, Honda took the system offline and, after an investigation, sent notification letters to those affected, telling them to watch for phishing campaigns. The company says the risk of identity theft is low. One customer laments, "It appears that even if you didn't create an account on their websites, if they mailed you about upcoming specials in 2009, your data were involved."
Full Story

PRIVACY LAW

Councillor Found Guilty of Violating Privacy Law (May 27, 2011)

In a first-of-its-kind ruling, a Prince George city councillor has been convicted of violating BC's Freedom of Information and Protection of Privacy Act, The Globe and Mail reports. On Tuesday, Provincial Court Judge Ken Ballon found Brian Skakun guilty of violating the act by disclosing a report about harassment at the RCMP to the CBC in 2008, the report states. "There were serious things going on, and I was very concerned," Skakun said. He expressed shock over the ruling. 
Full Story

GENETIC PRIVACY

Familial DNA Testing Moral and Legal Questions Abound (May 27, 2011)

While familial DNA testing is used in three U.S. states and the UK, Canadian officials have been reluctant to embrace the practice due in part to privacy concerns. Is it fair, a Vancouver Sun report asks, to make "unwitting genetic informants" of relatives, and with studies showing that "crime seems to run in families," does this genetic link cast a "cloud of suspicion" over them? Some say if parliament allows familial testing, it should only be for the most serious crimes and when all other options have been exhausted, while the Office of the Privacy Commissioner has said it would not support it. A Department of Justice spokeswoman this week said it is consulting with provinces, police and others "to develop a consensus on how best to proceed."
Full Story

DATA PROTECTION

Small Organizations and Big Data (May 27, 2011)

Despite their size, in the Information Age, small organizations increasingly manage large amounts of data, The Globe and Mail reports, which presents "small businesses challenges to match that growth and to develop security policies to manage their sensitive data." The article looks at how some businesses have handled the challenge. One CEO says it's important to "find the right partners," consider data storage location concerns and choose the right platform. Also, says Adam Froman, CEO of a digital strategy firm, "You can't overlook the importance of having documented policies and guidelines about data handling."
Full Story

RFID

W. Kelowna To Be Charged $46K for Trash Sorting (May 27, 2011)

The City of Kelowna is charging the West Kelowna district $46,575 for extra sorting after it opted out of the city's RFID trash program intended to stop residents from including trash in curbside yard waste bins, reports Kelowna Capital News. On top of the charge to the district, residents will incur a $4.62 increase to their quarterly utility bill, and city officials say the costs may increase in the future. West Kelowna Mayor Doug Finlander has cited concerns over citizens' privacy and questions as to whether the program will be effective as reasons for opting out.
Full Story

ONLINE PRIVACY

Opinion: Big Data Needs Ethics (May 27, 2011)

In an article for the MIT Technology Review, Jeffrey F. Rayport delves into "Big Data" and the myriad companies emerging that mine and aggregate "massive amounts of unstructured data"--800 billion gigabytes of which is currently available, estimates market intelligence firm IDC--for financial gain. "As the store of data grows, the analytics available to draw inferences from it will only become more sophisticated," Rayport opines, adding, "The potential dark side of Big Data suggests the need for a code of ethical principles." Rayport proposes a structure of ethics, including his own digital "Golden Rule: Do unto the data of others as you would have them do unto yours."
Full Story

ONLINE PRIVACY

G-8 Leaders Talk Privacy, Internet Regulation (May 25, 2011)
In a communiqué to be issued later this week, G-8 leaders are expected to call for stronger regulation of the Internet, including strengthened privacy protections, The New York Times reports. The document is expected to call for "an international approach to protecting users' personal data," and to "encourage the development of common approaches...based on fundamental rights that protect personal data, whilst allowing the legitimate transfer of data," according to a Daily Mail report. At yesterday's opening of the e-G8 Forum in Paris--a prelude event to the Group of Eight meeting taking place later this week in Deauville, France--global Internet leaders and heads of state discussed and debated some of the issues that have provoked the attention of the G-8. (Registration may be required to access this story.)

DATA LOSS—CANADA

Breach Spreads to Canadian Website (May 25, 2011)

Bloomberg reports on an unauthorized intrusion into a Sony Ericsson Mobile Communications website located in Canada. The names and e-mail addresses of approximately 2,000 customers were stolen. Discovered on Tuesday, the incident prompted the mobile phone company to disable the website. This latest breach comes after incidents earlier this week affecting Sony services in Thailand, Indonesia and Greece. "This is getting very serious," one analyst notes. "What looked like a game-related attack in the U.S. is spreading to other businesses, such as music, and to all over the world."  
Full Story

ONLINE PRIVACY

Opinion: Users Need Internet Control (May 25, 2011)

In an op-ed piece for The New York Times entitled, "When the Internet Thinks It Knows You," Eli Pariser of MoveOn.org writes about the ability of algorithms and Internet giants to edit and sift through the Web's wealth of information, offering "personalized filters that show us the Internet that they think we want to see." The danger, Pariser writes, is an Internet that "offers up only information that reflects your already-established point of view." When it comes to tracking our likes and dislikes, clicks and searches on the Internet, he contends that companies "need to give us control over what we see--making it clear when they are personalizing and allowing us to shape and adjust our own filters." (Registration may be required to access this story.)
Full Story

PRIVACY LAW

EU Cookie Rules Will Have International Impact (May 24, 2011)

New EU privacy rules requiring companies to give users "clear, comprehensive and understandable information about how, why and for how long their data is processed" will affect any Web company with EU customers, eWEEK reports. The law, which gives Internet users more control of their data, went into effect May 26. "The e-Privacy Directive applies to cookies used to collect information that is not directly related to the service offered by the site and would be used for advertising purposes," the report states, noting cookies used for the collection of non-advertising data such as passwords may still be installed without explicit user consent.
Full Story

ONLINE PRIVACY

Schmidt: Legalese Makes Simple Policies Hard To Do (May 24, 2011)

At a conference in the UK last week, Google CEO Eric Schmidt said the company is trying to make its privacy policies easier to read and understand--especially those for mobile devices--but required legalese makes it difficult. While not committing to a specific plan, Schmidt said the company is working on a "series of simplification projects" for its policies and noted that one option "may be to have simple statements followed by 'legally required' text," reports The Wall Street Journal. Google updated its policies last year, but a company blog post acknowledged it has further to go. (Registration may be required to access this story.)
Full Story

DATA PROTECTION

CPO: “You Can’t Prepare Enough” (May 23, 2011)

HealthcareInfoSecurity has released a two-part interview with Kirk Herath, CIPP, CIPP/G, chief privacy officer of Nationwide Insurance Companies. In the interview, Herath discusses how to handle scrutiny after a breach incident--stressing the need for communications professionals to guide public relations. "At the end of the day," he says, "the worst thing you can do is look like you're not transparent." The interviews also cover the scope and scale of a privacy officer's job; a review of the Epsilon and Sony breach incidents; how to manage privacy during a breach incident; Herath's personal experiences managing privacy at Nationwide, and the privacy concerns brought on by mobile devices and cloud computing.
Full Story

DATA LOSS

Hackers Target Small Firms, Too (May 23, 2011)

Small firms that think they are not a target for hackers should think again, The Los Angeles Times reports. One small California company last year lost $465,000 after hackers gained access to its business bank account, most likely through the owner's computer system. One fifth of the money was recovered. A 2010 survey by Symantec found that 74 pecent of small and medium-size companies have been the target of cyber attacks. "It's a competitive advantage" now to have privacy protections in place, one consultant said, as companies are increasingly looking for contractors that do.
Full Story 

GENETIC PRIVACY

Court Bans Donor Anonymity (May 20, 2011)

In what one expert suggested is a case where the rights of the child trump privacy interests, a BC Supreme Court judge has ruled that legislation providing anonymity for sperm and egg donors is unconstitutional. The Globe and Mail reports on the lawsuit, which sought the same rights as those provided for adoptees. Madam Justice Elaine Adair agreed, giving the province 15 months to rewrite the law. BC would then join 11 jurisdictions in Europe, Australia and New Zealand that have banned anonymous donation, the report states. BC's attorney general has not decided whether to appeal.
Full Story

PRIVACY LAW

OIPC Releases Annual Report (May 20, 2011)

Urging public organizations to "be proactive," Ontario Information and Privacy Commissioner Ann Cavoukian released her annual report on Tuesday. In a year where more Freedom of Information requests were filed in Ontario, the press release said, it was also a year that set a new record for the number of privacy complaints closed. Key issues identified in the report include the protection of personal health information on mobile devices; international recognition of Privacy by Design and Access by Design by government frameworks; the OIPC's collaboration with Hydro One and Toronto One to embed privacy into the smart grid; a privacy-friendly biometric facial recognition system for the Ontario Lottery and Gaming Corporation, and the issue of standardizing the cost of health record access.
Full Story

PRIVACY LAW

Opinion: Crime Package Threatens Privacy (May 20, 2011)

On the agenda for the upcoming parliamentary session is consideration of a crime bill package that has prompted privacy concerns, writes University of Ottawa Prof. Michael Geist in the Ottawa Citizen. The bill includes provisions to require Internet service providers to disclose customer information without a court order and allow for real-time surveillance of their networks. Geist says the legislation "has far-reaching consequences for privacy, security and free speech" and that the privacy commissioners of Canada have expressed their concerns in a joint letter.
Full Story

INFORMATION ACCESS

Court: Public Gets Limited Access to Gov’t Documents (May 20, 2011)

The Supreme Court of Canada has unanimously upheld a Federal Court of Appeal decision restricting the public's right to access documents in the offices of the prime minister and cabinet ministers, the CBC reports. The court reasoned that ministers are "beyond the reach of the law" because they are "essentially separate" from the departments they head, but the ruling also states that some records can be accessed in certain cases. Suzanne Legault, Canada's information commissioner, said Canadians "should be concerned. If they don't know what is occurring in some very important meetings, then they have no idea of the basis of the decision government is making on their behalf."
Full Story

ONLINE PRIVACY

Schmidt: No Facial Recognition for Google (May 20, 2011)

Google CEO Eric Schmidt, talking this week at the company's "Big Tent" conference in the UK, said that Google is "unlikely" to create a facial recognition database, saying the accuracy of the technology is "very concerning" and that popularizing the technology may cause governments to pass broad-reaching laws with unintended consequences, reports PC Advisor. Schmidt also announced Google's new Dashboard, a service that allows users to see the information Google has collected about them and opt to delete certain data. "It is worth stressing that we can only do this with data you have shared with Google. We can't be a vacuum cleaner for the whole Internet," said Schmidt.
Full Story 

ONLINE PRIVACY

Expert Explores Internet Data Dilemma (May 20, 2011)

When it comes to controlling personal information online, the best option Internet users have lies in that old adage, "if you can't beat them, join them." That's according to MIT Prof. Sandy Pentland, whose work has focused on finding a data collection approach that works for organizations, advocates and regulators, The Wall Street Journal reports. Pentland suggests an approach where consumers manage their data and receive compensation for making it available. "Your data becomes a new asset class," he said, adding, "you have more control over the information, and it becomes your most lucrative asset." (Registration may be required to access this story.)
Full Story 

TRAVELLERS’ PRIVACY

Report: Electronic Device Searches Need Probable Cause (May 20, 2011)

On Wednesday, a think tank released a report recommending that the U.S. Department of Homeland Security (DHS) use probable cause before searching electronic devices at its borders, The Globe and Mail reports. "Technology is developing so much more quickly, and the law needs to catch up," one expert said. By carrying electronic devices, travellers "are unknowingly subjecting volumes of personal information to involuntary search and review by federal law enforcement authorities," the report said, and the "problem is compounded" because the devices often contain "personal and business-related information."
Full Story

DATA LOSS

Security Flaw Forces Site Shutdown (May 19, 2011)

Sony has shut down a website that was designed to help those affected by last month's data breaches, Reuters reports. The announcement came after Sony found a "security hole"--potentially allowing hackers to access users' accounts by using personal information stolen during the original breaches. The news comes after U.S. lawmakers wrote a letter to the company questioning the breach incidents and response. One expert said, "The Sony network in general still isn't secure and still has security issues that could be exploited by hackers." A Sony spokesman said the issue has been fixed, and the site will be back up soon.
Full Story 

ONLINE PRIVACY

Research: Flaw Could Compromise Smartphones (May 18, 2011)

Researchers from Germany's Ulm University have found a security flaw that could make it possible for hackers to breach data on certain Google Android applications, the Financial Times reports. The research indicates that photo-sharing, calendar and contacts applications could be breached, the report states, spurring warnings to Android users to avoid public WiFi networks. Google is quoted as saying, "We're aware of this issue, have already fixed it for calendar and contacts in the latest versions of Android, and we're working on fixing it in Picasa." As the effort to fix the issues continues, IT PRO reports that Google is adding trust accreditation to its Marketplace Apps. (Registration may be required to access this story.)
Full Story 

HEALTHCARE PRIVACY—CANADA

Opinion: Blood Test Lawsuit Hits Upon Privacy Rights (May 17, 2011)

In a column for the Vancouver Sun, Ian Mulgrew writes about a lawsuit filed by an anonymous couple against the Provincial Health Services Authority in British Columbia. The lawsuit alleges that their child's blood "samples were obtained and stored as a result of a negligent or fraudulent concealment of facts that constituted an unlawful search and seizure violating the Charter of Rights and Freedoms." The Newborn Screening Program takes blood samples from newborn children to check for conditions, and the results are recorded and stored until the children reach the age of 10. According to the article, the judge has given the suit a "green light to proceed," but the family's lawyer has 30 days to "reframe the pleadings."
Full Story

DATA THEFT

Company Investigating PIN Pad Tampering (May 13, 2011)

Michaels Stores, Inc., has announced that approximately 90 PIN pads in at least 20 U.S. states have shown "signs of tampering," and it is currently looking into whether PIN pads in Canadian stores were affected, reports the Associated Press. As a result, customers can only make purchases with cash, checks or credit cards for now. The company announced earlier this month that Illinois-area stores were affected. In response, Michaels has "disabled and quarantined suspicious PIN pads and removed another 7,200 as a precautionary measure." 
Full Story

DATA LOSS

Recent Breaches Result in Dozens of Lawsuits (May 13, 2011)

The Globe and Mail reports that Sony faces at least 25 lawsuits in U.S. federal courts that stem from recently reported data breaches. The company is being accused of negligence and breach of contract. But, the article points out, plaintiffs' lawyers may find it difficult to establish damages rather than liability in the cases. Meanwhile, Sony is trying to rebuild consumer confidence in its services. One analyst said, "The key point is whether Sony will be able to get consumers to move on after this incident." Sony has announced that it will provide ID theft monitoring and other free services.
Full Story

ONLINE PRIVACY

Research Raises New Smartphone Concerns (May 12, 2011)

The Wall Street Journal reports on research suggesting that unique smartphone identifiers can be linked with other information to allow third parties access to personal information without users' consent. "The identifiers--long strings of numbers and letters associated with the phone--don't themselves hold any information about users," the report states, but New Zealand-based researcher Aldo Cortesi has found that U.S. gaming company OpenFeint "connected the IDs to users' locations and Facebook profiles and then made the combined data available to outsiders." Although the company has since fixed those issues, Cortesi has noted it is likely that other databases also link the unique IDs with other user information. (Registration may be required to access this story.)
Full Story

PRIVACY—CANADA

Commissioner Stepping Down (May 12, 2011)

Alberta Information and Privacy Commissioner Frank Work says he will step down when his term expires at the end of this year, The Edmonton Journal reports. "It has been my privilege to serve the people of Alberta in promoting open, transparent government and to guide citizens in the protection of their personal information," said Work, who has served as commissioner since 2002. Work oversaw the expansion of the commissioner's office in 2001 and 2004, following the Health Information Act and the Personal Information Protection Act, the report states. The government will appoint a committee to search for Work's replacement.
Full Story 

ONLINE PRIVACY

App Glitch Allowed Fourth-Party Access to Accounts (May 11, 2011)

A security firm has exposed a Facebook vulnerability that allowed third-party applications to share "access tokens" with advertisers and analytics companies, giving them access to users' accounts--including the ability to post information, read wall posts, access friends' profiles and mine personal information, reports The Wall Street Journal. The vulnerability has existed for years and likely affected about 100,000 apps, according to Symantec, which also said it's possible the third parties didn't know they had this ability. Symantec alerted Facebook to the vulnerability in April and the company has since addressed the problem and conducted an investigation that revealed "no evidence of this issue resulting in a user's private information being shared with unauthorized third parties," said a Facebook spokeswoman. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—CANADA

Clement Willing To Discuss ICO Fining Powers (May 10, 2011)

In response to Privacy Commissioner Jennifer Stoddart's call for the power to impose "significant, attention-getting fines" for data breaches, Industry Minister Tony Clement said he's willing to discuss the idea, The Vancouver Sun reports. Stoddart said last week that the most recent proposal to update the privacy law--which was tabled in May of 2010 and was based on a review done in 2008--is now "out of synch" with the "continuing occurrence of major data breaches." Clement on Friday agreed that it would "behoove us" to do the consultations again and said that the bill "is a pretty critical component of the broader digital economy strategy."
Full Story

ONLINE PRIVACY

Stoddart Calls for Transparency and Meaningfulness (May 6, 2011)

Privacy Commissioner Jennifer Stoddart yesterday released a report detailing the results of a series of public consultations about online privacy held last year, The Vancouver Sun reports. In the report, Stoddart calls on companies to better communicate with customers about their practices. "Transparency and meaningfulness of consent are serious issues and they generated a great deal of discussion on the panels," Stoddart said at the IAPP Canada Privacy Symposium in Toronto. "It is perhaps easy to get lost in the issue of opt-in versus opt-out, but one issue that needs serious consideration is that of meaningfulness." Stoddart's report also calls for the creation of standards to ensure privacy in the cloud computing environment.
Full Story

DATA LOSS

Commissioner: OPC Fining Powers Are Needed (May 6, 2011)

In a speech on Wednesday, Privacy Commissioner Jennifer Stoddart spoke about Sony's recent data breaches and described the need for the Office of the Privacy Commissioner to have fining powers, reports The Globe and Mail. Citing an "alarming trend towards ever-bigger data breaches," Stoddart said she will ask Industry Canada to rework proposed legislation that would give her the ability to impose "significant, attention-getting fines." Though the commissioner was "disappointed" that her office was not notified by the company about the breach, she noted that "since my office contacted Sony, the company has been very cooperative." 
Full Story 

ONLINE PRIVACY

Cavoukian: Recent Breaches “Unacceptable” (May 6, 2011)

Ontario Information and Privacy Commissioner Ann Cavoukian has called the past weeks' high-profile privacy breaches involving mobile devices and an online gaming site "unacceptable and avoidable," ITBusiness.ca reports. Speaking at this week's IAPP Canada Privacy Symposium, Cavoukian described the recent incidents involving Apple's iPhone and other mobile devices tracking users' locations and multiple breaches involving Sony's PlayStation Network as "privacy disasters that didn't need to happen," the report states. Simple safeguards could have been put in place to avoid the incidents, she noted.
Full Story

PRIVACY LAW

Judge Rules Against IP Address Linkage (May 6, 2011)

A U.S. judge has ruled that a copyright holder may not force Internet service providers to hand over subscribers' personal details, OUT-LAW News reports. Federal Judge Harold Baker said Canadian adult entertainment provider VPR Internationale cannot seek the personal information of illegal file sharers because an IP address--which, when linked with subscriber information, can identify the owner of the Internet connection line--could falsely identify the illegal file sharer, who could be a subscriber's family member, friend or anyone using the subscriber's IP address. The judge described trying to identify file-sharers by IP addresses as a "fishing expedition," which he said wouldn't be allowed for the "purpose and intention of class actions."
Full Story

ONLINE PRIVACY

Opinion: Recent Breaches Should Incite Action (May 6, 2011)

Though advocates' concerns about consumer privacy have long fallen on deaf legislative ears, recent high-profile breaches may incite a shift, opines Michael Geist in the Ottawa Citizen. Whether governments take action following headlines about breaches at Sony and Apple, consumers must take it upon themselves to act as "the front line guardians of their own privacy," Geist says, by "rotating passwords, only providing personal information that is strictly necessary for the services they use and opting out of unnecessary disclosures to third parties." Legislatively, Canada needs a mandatory breach notification system, Geist says. Now, breaches may go unreported to consumers and authorities without legal repercussions.
Full Story

ONLINE PRIVACY

Apple Releases iPhone Update (May 6, 2011)

The New Zealand Herald reports on Apple's release of software to update how long its iPhone stores users' location information in the wake of privacy concerns. Information included with the update indicates that location information will no longer be backed up on computers and disabling location features will result in location data being deleted. "Apple says the location data won't be kept for more than a week after the changes to the iPhone's operating system are installed," the report states.
Full Story

DATA PROTECTION—CANADA

Privacy Offices Launch Assessment Tool (May 5, 2011)

In the wake of recent high-profile data breaches, three of Canada's privacy commissioners have together created a tool for small- to medium-sized businesses to assess whether they are meeting federal and provincial data protection standards. The federal privacy commissioner and those from Alberta and British Columbia developed the online tool, which is made up of "dozens of yes or no questions," covering topics such as network and database security, access control and incident management, reports IT Business. One privacy expert questions how much the tool will be used, saying it may be better suited for larger organizations, as it "may be over the heads of most smaller businesses."
Full Story

ONLINE PRIVACY

Study: Define “Do Not Track” (May 4, 2011)

Initial results of a study of 200 Web users reveal that consumers might define the term "do not track" differently than Web companies, MediaPost reports. Preceding last week's World Wide Web Consortium workshop, researcher Aleecia McDonald asked Internet users what kind of data would be collected after activating a do-not-track option. Nearly 40 percent of respondents felt that "nothing at all" would be collected. Fifty-one percent of those polled indicated that they would not be surprised if nothing changed after they activated a do-not-track option. Eighty-one percent said it was the first time they had heard the phrase do not track.
Full Story

DATA LOSS—CANADA

Suit Seeks $1 Billion in Damages (May 4, 2011)

A $1 billion suit has been launched against Sony Corporation and its PlayStation and Qriocity networks for alleged negligence associated with the company's recent data breaches, the Toronto Star reports. The suit was filed in the Ontario Superior Court of Justice and seeks class-action status. The plaintiff, a 21-year-old college student and self-described loyal Sony customer, said in a statement that she was disappointed. "If you can't trust a huge multinational corporation like Sony to protect your private information, who can you trust?" she asked. The complaint alleges that Sony "failed to adequately safeguard certain personal information, financial data and usage data" and that it delayed notifications to affected and interested parties.
Full Story

DATA LOSS

Privacy Commissioner to Investigate Breach (April 29, 2011)

The Office of the Privacy Commissioner (OPC) is looking into the Sony PlayStation Network data breach that has affected up to 77 million users, reports the Financial Post. A spokesperson for the OPC expressed concern that the company did not promptly notify its customers about the breach and said that the office will move forward once it has a "full understanding of the incident." Meanwhile, Sony has announced that credit card information was encrypted. Alberta Privacy Commissioner Frank Work is also looking into the matter and has warned users that they should change their online passwords. According to one report, this latest data breach "is one of the top five ever."
Full Story

DATA PROTECTION

Commissioner and Utility Cooperating on Smart Meters (April 29, 2011)

The Globe and Mail reports that BC's privacy commissioner is working with utility company BC Hydro to ensure that privacy is protected as smart meters are rolled out. Smart meters will track consumers' energy usage data and report it back to the utility on an hourly basis. Advocacy groups have questioned how that data could be used and who besides the utility may seek access to it--such as divorce lawyers, law enforcement or insurance companies who may want to gain a "snapshot of people's behavior." A spokeswoman for BC Privacy Commissioner Elizabeth Denham said the office is working with BC Hydro to consider smart meters' possible impacts.
Full Story

ONLINE PRIVACY

Experts Not Surprised By Smartphone Privacy Threats (April 29, 2011)

Security experts are not surprised by the privacy threats that exist in smartphones, according to the Toronto Star. Telecommunications companies have long been able to remotely access the locations of phones, but with the right tools, anyone can access private information including texts, photos, social networking posts and other location-based data, the article states. The director of Consumer Watchdog's Privacy Project points out that "there really needs to be an educational process started so that people will begin to understand" that a "gold mine of data about their life exists inside their smartphone."
Full Story

ONLINE PRIVACY

McQuay Discusses Demonstrating Accountability (April 29, 2011)

In this Daily Dashboard Q&A, Nymity President Terry McQuay discusses the renewed look at accountability as it applies to data privacy. McQuay says accountability involves organizations being "responsible for personal information" and able to "account for it" within the organization when it flows to business partners by demonstrating the status of their privacy program to internal stakeholders. McQuay says there are three main organizational drivers for accountability, and he discusses accountability-related developments in the legislative and regulatory communities. McQuay will talk more about "demonstrating accountability" at next week's IAPP Canada Privacy Symposium.
Full Story

PRIVACY LAW

Opinion: USA PATRIOT Act Affects Canadian Citizens’ Privacy (April 29, 2011)

In a series of posts on ZDNet, journalist Zack Whittaker examines how the USA PATRIOT Act affects businesses, citizens and governments outside of the U.S.--particularly in Canada. Whittaker points out that the U.S. legislation covers data that is housed in or passes through U.S.-owned companies, thereby making it vulnerable to interception by authorities, which can be at odds with Canadian legislation covering cross-border data movement. Many online services, including those made available by the cloud, are provided by U.S.-based organizations. "The issue many Canadians face with the PATRIOT Act," Whittaker says, "lies in their recognizing it as a foreign piece of law which allows a foreign government to access their personal data for the benefit of the U.S."
Full Story

ONLINE PRIVACY

Web Standards Group Discusses Do Not Track (April 29, 2011)

The Web standards organization, World Wide Web Consortium (W3C), met this week to examine online privacy and the main issues surrounding a universal do-not-track mechanism, reports MediaPost. Discussion topics included definitions for do not track and the mechanism's operational feasibility. Nearly 60 position papers were submitted by Web companies, academics and others prior to the conference. W3C Co-Chair Lorrie Cranor said the group "has not yet formally taken on the task of formalising do not track or any of the other consumer protection technologies in the tracking space but are looking at it and trying to determine if there's a role for them and, if so, what direction to go in."
Full Story

GEO PRIVACY

Jobs: Mistakes Were Made, But Users Not Tracked (April 28, 2011)

Apple CEO Steve Jobs has responded to recent reports that iPhone and iPad devices were tracking users' locations, The New York Times reports. Mistakes were made in how location data was handled, Jobs said, but stressed, "We haven't been tracking anybody. Never have. Never will." Apple has stated that the anonymous data was used to help the phone find its location in regions with weak GPS, and a software update will released to encrypt such data and limit its storage to seven days. Meanwhile, experts are calling for more transparency in how smartphones handle location information; data protection authorities across the globe have opened investigations, and a hearing before a U.S. Senate subcommittee has been scheduled for May 10. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Social Network Plans Internet Erasure (April 28, 2011)

In the midst of ongoing calls for a "right to be forgotten" on the Internet, an early social network has announced it will erase old posts and photos from its site. In a column for technology review, David Zax explores the push for an Internet "written in pencil," where users may remove information. The owners of Friendster, which predated such social networks as MySpace and Facebook, appear to be doing just that, having notified users that they plan to "wipe out the site's trove of digital memories, including ancient dorm-room photos, late-night blog entries and heartfelt friend endorsements," The New York Times reports. (Registration may be required to access this story.)
Full Story

DATA PROTECTION

Opinion: PR Damage Not Enough to Incite Action? (April 28, 2011)

There seem to be few repercussions for companies that lose customers' sensitive data, opines Nick Bilton in The New York Times. Breach reports are on the rise, and customers continue to hand over their information for access to online services. And yet, "the only real hit a company takes when these data breaches happen is to the company's image," Bilton writes. "It seems that with the frequency these events happen, a simple PR hit is not working to force these companies to protect people's privacy." Bilton says the problem will only get worse with the advent of the cloud. (Registration may be required to access this story.)
Full Story

GEO PRIVACY

Expert Calls for OPC Investigation Into iPhone Tracking (April 22, 2011)

Researchers have found that Apple's iPhone and 3G-enabled iPad began logging users' locations in hidden files a year ago, when Apple updated its mobile operating system. The data is usually unencrypted and can be copied to computers, the researchers found. Michael Geist, a member of the privacy commissioner's expert advisory panel, is calling for the Office of the Privacy Commissioner to open an investigation, calling the revelation "incredibly disturbing," The Victoria Times Colonist reports. While EU authorities are assessing the potential impact, and two U.S. legislators have written to Apple seeking an explanation, a Canadian software developer has announced the creation of a program to remove location history from such devices.
Full Story

HEALTHCARE PRIVACY

Dumped Medical Files Prompt Official Advisory (April 22, 2011)

Saskatchewan Information and Privacy Commissioner Gary Dickson has sent an advisory to the province's healthcare providers with eight recommendations to ensure they are in compliance with the Health Information and Protection Act (HIPA), according to The StarPhoenix. "We have a systematic problem with healthcare providers not understanding HIPA and not following the requirements," said Dickson. The advisory comes in response to a number of cases where medical files have been found in dumpsters in Saskatoon and Regina. Justice Minister Don Morgan expressed concern over the improperly discarded files and warned of a rise in prosecutions of health privacy law violations.
Full Story

DATA LOSS

Lost Memory Stick Contained PHI (April 22, 2011)

An unencrypted memory stick containing the records of 4,500 children has gone missing from a speech and hearing clinic at the University of Western Ontario, according to the London Free Press. The missing records include names, addresses, phone numbers, birthdates, doctor information and school and childcare information. Ontario Information and Privacy Commissioner Ann Cavoukian said, "If you are a healthcare facility of any kind, you never transfer identifiable data onto a portable device such as a USB or a laptop." Prof. Richard H. Irving, who specializes in health systems management, warns of the growing risk as information-holding devices become smaller, saying, "Once you put information on a little key...it's easier to lose it and it's easier to steal it."
Full Story

STUDENT PRIVACY

After OIPC Approval, Survey Has Begun (April 22, 2011)

Following the Office of the Information and Privacy Commissioner of Ontario (OIPC) decision last month on an Ottawa-Carleton District School Board survey, the Ottawa Citizen reports on the survey's launch this week, continuing through May 20. The survey, which includes questions on such topics as home life, religious beliefs and sexual orientation, raised concerns about student privacy. Students may choose to skip questions on the survey, which is confidential but not anonymous, the report states. The OIPC released a report in March stating that although the survey does request personal information, the collection is permissible because it is "necessary to the proper administration of a lawfully authorized activity."
Full Story

BIOMETRICS

OLG Says Gambling Program Will Protect Privacy (April 22, 2011)

The Ontario Lottery and Gaming Corp. (OLG) says its new "Voluntary Self-Exclusion" facial recognition program, announced last year, will not violate gamblers' privacy, reports ITWorld Canada. The program aims to help those with a self-identified gambling problem to stop gambling by cross-referencing images of people entering OLG casinos with a database of people who have put themselves on a list banning them from the casinos. Paul Pellizari, the OLG's director of policy and social responsibility, says unless the system recognizes a face as being in the database, the image is automatically deleted. (Registration may be required to access this story.)
Full Story

 

INFORMATION ACCESS

OIPC: Do Not Shred Files (April 22, 2011)

Ontario Information and Privacy Commissioner Ann Cavoukian is speaking out against a Toronto-based law firm's recommendation that Ontario hospitals "cleanse" their files of "anything that might embarrass them before the public gets the right in January to ask for the information," the London Free Press reports. "I was astounded at the language. Just using the word 'cleansing' is highly inappropriate. It suggests shredding, eliminating, hiding--getting rid of material before the end of the year," Cavoukian said. Ontario Health Minister Deb Matthews also spoke out against any action contrary to the "spirit of the legislation," the report states.
Full Story

DATA PROTECTION

Poll: 67 Percent of PCI-Regulated Companies Not Compliant (April 21, 2011)

In a survey conducted by the Ponemon Institute, 67 percent of PCI-regulated companies lack full compliance with the standard; 50 percent of security professionals view PCI as a burden, and 59 percent do not believe it helps with security, reports InformationWeek. The survey also found an increase in the number of data breaches since 2009, with non-PCI compliant companies experiencing more data breaches than PCI-compliant ones. The study found little connection between PCI-related expenditures and compliance levels. Imperva's director of security strategy noted, "In a somewhat counterintuitive manner, those organizations (that) suffered no breaches are not necessarily those who spent the biggest budget."
Full Story

DATA PROTECTION

IT Study Reveals Same Challenges, Accelerated Pace (April 21, 2011)

A survey of 2,400 IT security specialists from around the world shows compliance, governance and information security management at the top of their priorities for the remainder of 2011, reports InfoSecurity. The study, conducted by not-for-profit IT security association ISACA, found that the complexities of the IT landscape are accelerating due to new technologies and regulations as well as an increase in data breaches. Tony Noble, a member of ISACA's guidance and practice committee, notes that this year's survey shows a need to better align "business with IT to unlock greater value," adding that there's a perception on the business side of organizations that "IT is managed in a silo."
Full Story

HEALTHCARE PRIVACY

Drug Manufacturer Alerts Consumers of Breaches (April 19, 2011)

The Wall Street Journal reports that, as a result of the recent Epsilon data breach, GlaxoSmithKlein has warned consumers in a letter that their e-mail addresses and names "were accessed by an unauthorized third party." The company makes drugs for asthma, HIV, depression and smoking cessation, among others. The breach may have exposed which product sites consumers are registered for, according to the company, which could help fraudsters discern what prescription drugs they take, warns CAUCE, a spam coalition. (Registration may be required to access this story.)
Full Story

DATA RETENTION

Company Extends Retention Term (April 19, 2011)

Yahoo disclosed on Friday that it will extend the length of the term it retains user data to 18 months, The New York Times reports. In a company blog post, Yahoo Chief Trust Officer Anne Toth said, "we will keep our log file data longer than we have been--offering consumers a more robust individualized experience--while we continue our innovation in the areas of transparency and choice to protect privacy." The company's current retention term is 90 days. Privacy advocates expressed disappointment about the change, and, the report states, "Yahoo's new policy may be in conflict with European Union data protection rules." (Registration may be required to access this story.)
Full Story

DATA LOSS

Sensitive Data Compromised in Blog Host’s Breach (April 15, 2011)

A host site for more than 19 million blogs has announced a data breach. WordPress.com says sensitive data was likely taken after its source code was exposed and copied. "We don't have any specific suggestions for our users beyond reiterating these security fundamentals," founder Matt Mullenwed said. "Use a strong password, meaning something random with numbers and punctuation; use different passwords for different sites; if you have used the same password on different sites, switch it to something more secure." The company will continue to investigate the breach, Security News Daily reports.
Full Story

EMPLOYEE PRIVACY

Experts: Monitoring Solves Some Problems, Creates More (April 15, 2011)

The Globe and Mail reports on employers using technology to monitor their employees' online activities at work and the views of some privacy experts that such monitoring can cause more problems than it solves. A recent survey of Human Resources Professionals Association member companies found that 55 percent monitor their employees' Web usage during work hours, while 60 percent have developed a social media policy. Citing multiple rulings that have granted employees "some amount of privacy in the workplace," one expert recommends that companies create written policies about monitoring tools and practices and have their employees sign off on those policies annually.
Full Story

PRIVACY LAW

Court Rules License Plates Not PII (April 15, 2011)

A divided Alberta Court of Appeals recently ruled that license plates are not personally identifiable information, "sending shockwaves through the Canadian privacy community," the Ottawa Citizen reports. The ruling came after an Alberta resident was asked for her driver's license and license plate while picking up furniture at a store in 2006. The majority of the court concluded that while a person's driver's license is personal information, a license plate is not. An appeal to the ruling seems likely, the report states, but "the final outcome of this case carries significant legal implications for privacy protection in Canada, particularly for online activities that raise many of the same issues."
Full Story

PRIVACY LAW

Opinion: Lawful Access Bill Would Erode Civil Liberties (April 15, 2011)

In a Macleans.ca editorial, Jesse Brown says a bill that would expand police powers over Canadians' personal information is cause for concern. The "lawful access" crime bill would grant police access to personal data via Internet service providers without a warrant. Last month, Privacy Commissioner Jennifer Stoddart and the country's provincial privacy commissioners sent a letter to the government expressing concerns about the bill and calling it problematic. The commissioners wrote that there was insufficient justification for the bill and asked for less-intrusive ways to fight crime. "It's a promise to do significant damage to the civil liberties of every Canadian," writes Brown.
Full Story

DATA LOSS

School Board Loses Data on 7,000 Employees (April 15, 2011)

CBC reports that the private information of about 7,000 Edmonton Public School Board employees has gone missing. A USB memory stick containing information including resumes, banking data and employment records was lost on March 22 by a computer technician. The school board has alerted the individuals affected and informed them of how to monitor their credit. Alberta Privacy Commissioner Frank Work said the school board policy indicates unencrypted memory sticks are not to be used. The policy also requires that the board keep a list of data stored on portable devices. "The third way they breached their own policy was they had kept too much information too long," Work said.
Full Story

 

PRIVACY—CANADA

OPC Investigating Allegations Against Postal Service (April 13, 2011)

The daughter of the victim of mail scams is raising concerns with the federal privacy commissioner about Canada's postal service, CBC reports. The woman says Canada Post sold her 84-year-old father's new mailing address to companies that update addresses in a federal database after his address was changed to avoid marketing scams. The database--containing thousands of new addresses--is accessible to 37 companies for a $10,000 charge each. Those companies update address lists for marketers. Canada Post "should not under any circumstances be selling personal information," the woman said. Canada Post says it offers an opt-out box to customers on its address change form. Privacy Commissioner Jennifer Stoddart is investigating.
Full Story

PRIVACY

Is Self-Regulation Realistic? (April 13, 2011)

The Wall Street Journal uses the example of catalog mailers to examine whether companies should self-regulate on privacy. Catalog Choice, a Web site that aims to give users choice over the sharing of their personal information, allows users to choose which mailing lists they'd like to opt out of and reports that 95 percent of catalog companies honor users' requests. But some catalog companies say they don't work with any third parties and aren't required to belong to such organizations, the report states. Chris Hoofnagle of the University of California Berkeley, who advises the company on legal matters, explains "the organization is legally an 'agent' for people requesting opt-outs." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—CANADA

Judge Dismisses Facebook Lawsuit (April 12, 2011)

Quebec Superior Court has dismissed a class-action lawsuit against Facebook. Judge Michel Déziel refused to authorize certification of the lawsuit, filed in July 2010 by Merchant Law Group in Toronto, which claimed that Facebook breached the privacy of its users, All Facebook reports. The suit also claimed that Facebook's altered privacy rules misappropriated users' personal information, enabling behavioral targeting, the report states. Déziel wrote that "Quebec courts do not have jurisdiction on the litigation because all the users of Facebook accepted, while joining itself to the site, to submit all the eventual recourses to the Californian courts of the district of Santa Clara."
Full Story

ONLINE PRIVACY

What Happens to Your Digital Life After Death? (April 11, 2011)

All Things Digital explores the question "Who will be reading your e-mail after you die?" in a feature on a new startup aimed at letting users decide. Michael Aiello, founder of LifeEnsured, explains, "We want people to think about what their virtual life is and what it means to them and their families and how they want to be perceived after they pass away." Besides deleting social network accounts or entries on online dating sites, options include moving photos stored in online servers into the public domain and sending final e-mails. And whatever end-of-life options LifeEnsured users may choose, Aiello says, "We put all the requests for our paying members in irrevocable trust."
Full Story

DATA LOSS

Canadian Consumers Among Victims of E-mail Breach (April 8, 2011)

As the fallout from the recent Epsilon data breach continues, The Vancouver Sun reports on the impact for Canadian consumers. In addition to a lengthy list of high-profile companies, the report notes the breach has affected The College Board, which administers exams taken by many Canadian students. Meanwhile, Forrester Research Analyst Dave Frankland told eWEEK that the effects of this breach reach farther than the company's client base, saying the breach calls into question the security of data in a cloud-computing environment.
Full Story

FINANCIAL PRIVACY

Expert: Be Wary of Phishing Scams During Tax Season (April 8, 2011)

Tax-related phishing scams have increased in recent months, with 48 percent of malicious mail including tax-related phishing scams as of late March, ITWorld Canada reports. "Phishing utilizes timely events to increase the likelihood of catching targets and information; during tax season it's tax phishing, during election season its election phishing," said James Quin of Ontario's Info-Tech Research Group. Recipients of tax-related phishing e-mails should be on the lookout for requests for credit card information, the report states, and "know it is a scam if it asks for credit card info because the government does not give out rebates in that fashion."
Full Story

ONLINE PRIVACY

Miss Manners: Teach the Children Well (April 8, 2011)

Even Miss Manners is weighing in on data privacy concerns. In The Washington Post last week, a reader describes a video chat where a beloved niece "was snapping pictures of me using her computer's camera and was posting them on Facebook." The reader seeks advice on what to do about this younger relative's handling of digital data, asking, "perhaps I need to get with it and be prepared for my close-up at all times?" Miss Manners advises the reader to explain the concept of privacy to the young relative "not only for your protection but for hers." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

“G-8 du Web” Planned (April 8, 2011)

Data privacy concerns continue to demand the attention of world leaders. More details have emerged about plans to include Internet privacy on the agenda of the Group of 8 summit in France this year. The New York Times reports that French President Nicolas Sarkozy has enlisted a longtime advertising industry executive to help "organize a gathering of policy makers and Internet company executives" for a "first-of-its-kind meeting, dubbed 'G-8 du Web,'" to coincide with the G-8 summit, which takes place in Deauville, France, in May. (Registration may be required to access this story.)
Full Story
 

PRIVACY LAW

Condé Nast Targeted in Phishing Scam (April 8, 2011)

The ABA Journal reports that magazine publisher Condé Nast was recently duped in a spear-phishing scheme and is suing to recover the funds that the scammers attempted to steal. The publisher received a fraudulent e-mail that appeared to come from its regular printing house asking for payment to be sent to a new address. Relying on this e-mail, the company sent its $8 million payment to the new address. The publisher was alerted to the scam by its printing house and froze the funds, which were still in the recipients' account. This news comes amid high-level concerns that customers affected by the recent data breach at e-mail marketer Epsilon will fall victim to similar spear-phishing campaigns.
Full Story

PERSONAL PRIVACY

Samsung: Keylogging Accusations False (April 8, 2011)

Samsung has refuted claims that some of its laptops came loaded with a keylogger. The statement follows an internal investigation launched by Samsung after a report claiming that the spyware was installed on two of its models. The report was based on a security consultant's findings after he had performed a series of virus scans, Digital Trends reports. The keylogging software is publicly available. It records computer users' keystrokes and can send information to a third party without the users' knowledge, the report states. An additional, independent investigation confirmed that the keylogging finding was false.
Full Story

ONLINE PRIVACY

Reputation Managers Striving for Internet Amnesia (April 8, 2011)

A report in The New York Times on efforts to make the Internet forget likens the proliferation of personal information online to "a metastasized cancer" that has "embedded itself into the nether reaches of cyberspace, etched into archives, algorithms and a web of hyperlinks." More often, people from all walks of life are turning to online reputation managers that focus on improving their clients' Internet images through such techniques as removing negative posts and burying unfavorable search results. "The Internet has become the go-to resource to destroy someone's life online," the head of one reputation management company put it, adding the result is that life offline is turned upside-down as well. (Registration may be required to access this story.)
Full Story


PRIVACY LAW

Landmark Case Raises Issues for Employers (April 1, 2011)

The ruling in what is being called a landmark privacy case involving a teacher charged with storing inappropriate material on his work-issued computer is likely to have far-reaching implications for the personal use of company equipment, The Vancouver Sun reports. The Ontario Court of Appeal has ruled that while school officials could access the computer, police violated Richard Cole's rights by searching it without a warrant because he had permission to use it during weekends and vacations and to store personal information on it. Questions abound now, the report states, as to "what it will mean to workers and their employers in an environment that is increasingly reliant on portable technology to do the job."
Full Story

EMPLOYEE PRIVACY

Judge Recommends Health Disclosures for Bus Drivers (April 1, 2011)

Regardless of privacy concerns, school bus drivers should be mandated to undergo physical and mental health exams and report all conditions to their employers. That's the message from Judge Bruce Fraser following an inquest into a crash that resulted in the death of a nine-year-old girl, The Globe and Mail reports. Among the recommendations in the inquest report released on Thursday include random drug testing, mental health reporting, medication use disclosure and full medical disclosure. Although he acknowledged the potential privacy concerns associated with such requirements, "the protection of our children, our richest resource, trumps any such rights," Fraser said.
Full Story

PRIVACY LAW

Former Employee Sues City (April 1, 2011)

A former Saskatoon employee has brought a privacy suit against the city and several officials alleging improper disclosure of her utility bill information to the Canada Revenue Agency (CRA), The StarPhoenix reports, and attorneys are calling for a dismissal. The plaintiff has cited a 2010 report from Saskatchewan Information and Privacy Commissioner Gary Dickson that found the city breached her privacy several years earlier. "We have only the city's bare assertion that CRA was seeking to collect personal information for the purpose of administering or enforcing a tax law," Dickson wrote, noting the city also provided more information to the CRA than necessary, which "clearly constitutes a breach of the complainant's privacy."
Full Story

DATA LOSS

Opinion: More Must Be Done To Protect Privacy (April 1, 2011)

Saskatchewan's provincial government must do more to protect privacy, The Regina Leader-Post contends in a recent editorial sparked by a lack of prosecutions in a wave of data breaches over the past seven years. On the same day, The StarPhoenix referenced a recent incident where Information and Privacy Commissioner Gary Dickson and members of his office reclaimed boxes of personal medical records thrown into a dumpster, calling for the government and medical professionals to do more to protect patient privacy. Breaches of such personal information have not resulted in strong disciplinary action, which Dickson suggests "really minimizes what I think is a much more serious matter."
Full Story

CHILDREN’S PRIVACY

Questions Arise Over Parents’ Online Postings (April 1, 2011)

The Canadian Press explores several recent instances of "viral videos" on sites like YouTube and across the Internet--some with stars as young as a few months old--in examining whether future privacy implications exist. Some experts are urging parents to use caution as many ethical and privacy questions remain, the report states. As Indiana University Prof. Hans Ibold put it, "The sort of boundaries that we've had before with older media are changing and a lot of people assume now that anything goes, that nothing is private anymore. I think it will take some time to figure it out."
Full Story 

PERSONAL PRIVACY

Smart Grid Carries Risks (April 1, 2011)

The smart grid aims to provide the ability to monitor and control power usage remotely as well as to allow customers to feed their own wind, solar and biomass power back into the system, CBC reports, but privacy concerns persist. Governments hope the exchange of information about hourly power usage between the consumer and the utility will help to reduce energy consumption. However, the impending grid solution brings with it privacy risks. The grid is able to reveal to utilities more detailed information about consumers' personal habits than ever before based on energy usage data, which Ontario's privacy commissioner has expressed concerns about. Cyber attacks are also a danger.
Full Story

PRIVACY LAW—U.S.

Experts Weigh In on Buzz Settlement (March 31, 2011)
Privacy experts, industry advocates and Federal Trade Commission (FTC) officials are offering different insights on the implications of Wednesday's announcement of the FTC and Google's proposed Buzz settlement. In this Daily Dashboard exclusive, experts weigh in on how the settlement could impact regulations, industry and personal privacy going forward. As Katie Ratte of the FTC's Bureau of Consumer Protection put it, the settlement "is groundbreaking for us because it's the first time we've required a company to implement a privacy program to protect consumer data...It's something we called for in the FTC staff report, and we think it's important for all businesses to incorporate into their business operations today."

ONLINE PRIVACY

Expert: The Re-identification Devil Is in the Details (March 30, 2011)

When it comes to protecting privacy online, the biggest threat lies in the everyday details Internet users share without realizing that even anonymous postings can be correlated to expose their identities. That's according to University of Colorado Law School Prof. Paul Ohm, who spoke recently on the process of "re-identification." Deleting information is not enough, Thinq.co.uk reports, as companies can identify users by drawing inferences from the bits of data left behind. "We have to get used to talking about the price of privacy," Ohm notes, adding, "Maybe we should give up some of the efficiency and convenience of the Internet if we can protect privacy."
Full Story

EMPLOYEE PRIVACY—CANADA

BC Privacy Commissioner To Examine Database (March 28, 2011)

BC Privacy Commissioner Elizabeth Denham has announced that her office is examining the use of a police database for background checks on job applicants, Vancouver Sun reports. In the wake of concerns by the BC Civil Liberties Association, Denham's office is reviewing the use of the BC Police Records Information Management Environment--which contains at least the names of 85 percent of the province's residents--to check criminal records for employment purposes. "This is a very complex issue involving multiple jurisdictions, multiple data linkages, competing interests and the overlap of at least five different laws," Denham said, adding, "we need to be sure that the process is fair and justifiable, both ethically and legally."
Full Story

PRIVACY LAW

Passenger Data Bill Passes Senate Third Reading (March 25, 2011)

The senate has passed the third reading of a bill that seeks to require airlines to provide information on passengers passing through U.S. airspace to U.S. authorities, The Vancouver Sun reports. Bill C-42, "an Act To Amend the Aeronautics Act," will allow such passenger information as name, gender and birthdate to be shared with the U.S. Department of Homeland Security. The bill has evoked concerns from advocates such as the Canadian Civil Liberties Association over privacy concerns. But one senator said that several amendments to the bill have strengthened it after an "effort was made to strike that balance between privacy and security."
Full Story

PRIVACY

Telecom To Pay $275,000 After CRTC Investigation (March 25, 2011)

Rogers Communications has agreed to pay $275,000 to education institutions after a Canadian Radio-Television and Telecommunication Commission (CRTC) investigation, reports The Globe and Mail. Rogers, a Toronto-based wireless, cable, Internet and media company, was making automated calls to its subscribers, which violates CRTC regulations. Telecommunications companies must get prior consent to make such calls. Rogers has not admitted fault but has agreed to give $175,000 to the École polytechnique de Montréal and $100,000 to the British Columbia Institute of Technology as well as to stop making the automated calls and review its policies on the practice.
Full Story

DATA LOSS

Dumpster Breach Has Officials Considering Law Changes (March 25, 2011)

Saskatchewan's health minister is willing to consider changes to privacy laws after thousands of patient files were found in a Regina recycling bin, CBC reports. Information and Privacy Commissioner Gary Dickson is investigating the breach after he and two assistants sifted through about 1,000 files found in a dumpster behind a shopping centre in Regina that "should have been shredded," Dickson said. An individual violating privacy law faces a fine of up to $50,000; a corporation could face a $500,000 fine. "The message we want to send to everybody who handles confidential information is that they are at risk of being prosecuted," said Saskatchewan's minister of justice.
Full Story

PRIVACY

Stoddart Stops By “Strombo” (March 25, 2011)

Privacy Commissioner Jennifer Stoddart recently made an appearance on the George Stroumboulopoulos show to discuss the latest hot topics in privacy. Stoddart discussed the "scary" and increasing trend of tracking users in real time for marketing purposes. "It doesn't matter who you are...they can track every single purchase and can also track physically now where you are." Asked whether this is an egregious intrusion on privacy, Stoddart said she's been consulting with Canadians on that issue. "This tracking in real time has to be the ultimate loss of privacy," she said, adding other countries are addressing such issues. The U.S. has started to explore do-not-track guidelines, and the EU has the cookie directive.
Full Story

FINANCIAL PRIVACY

Consumer Agency Warns Against Aggregator Disclosures (March 25, 2011)

The Financial Consumer Agency of Canada (FCAC) is warning consumers about providing passwords to financial aggregators, The Montreal Gazette reports. Doing so may violate your agreement with your primary financial institution, says FCAC Commissioner Ursula Menke, and fraud protection may depend on refraining from such disclosures. Such aggregators, based mainly in the U.S. but moving towards Canada, Menke said, allow consumers to track all of their financial information at one source, the report states, and use one password to gain access to all sources. "Before using an account aggregation service, consumers should find out what the consequences might be if they provide another party with access to their online banking information," she said.
Full Story

PRIVACY

Scientist: “Surveillance Society Inevitable, Irresistible” (March 24, 2011)

There's enough data floating around about any given person to predict where they'll be next Thursday around 5:53 p.m., says Jeff Jonas, chief scientist of IBM's Entity Analytics group. The question is how privacy models will change as a result of the amount of data collected via cell phones, transactions and social media sites, among others, ZDNet reports. "The surveillance society is inevitable and irresistible," Jonas said at a recent conference in New York, adding that he's working on an "analytic sensemaking" machine that will incorporate privacy features into it from its construction that cannot be turned off. The system, called G2, aims to "explore new physics of big data," the report states.
Full Story

BEHAVIORAL TARGETING

Social Network Turns User “Likes” Into Ads (March 24, 2011)

PCWorld reports that Facebook's "sponsored stories" ad plan, which has raised concerns among privacy advocates, is now being rolled out across the social network. For those who don't like the plan, Dan Tynan suggests in his report, "don't 'Like' it--or anything else. Because once you do...There is no opting out. Facebook can use your name and profile image alongside any product you endorse, per its privacy policy." A forthcoming plan to allow third-party advertisers to put users' images and names in a similar way will have an opt-out, the report states.
Full Story

PRIVACY LAW—CANADA

Court: Personal Items on Work Computer Are Private (March 23, 2011)
The Globe and Mail reports on a judgment this week by the Ontario Court of Appeal related to questionable files a teacher had on his school-issued computer. "I conclude that the appellant had a reasonable expectation of privacy from state intrusion in the personal use of his work computer and in the contents of his personal files on its hard drive," Justice Andromache Karakatsanis wrote in the 30-page ruling.The court found it was permissible for school officials to search the computer but not to provide police access. "This case comes down firmly on the side of privacy and holds that employers cannot give police investigators access to a workplace computer," said privacy expert Scott Hutchison, adding, "the employer may own the computer, but that doesn't give them the power to waive the employee's privacy rights."

ONLINE PRIVACY—CANADA

OPC: Tracking Raises Concerns (March 23, 2011)

A CBC News report explores whether Canada may begin pursuing do-not-track legislation. "Almost everywhere you go online, you're being watched," Dan Misener writes, listing off the online tracking options--from news sites to social networks to health sites--where personal information can be gathered to profile users. In response to a question about do not track, the Office of the Privacy Commissioner has stated, "We are following with interest the U.S. Federal Trade Commission's proposal for a do-not-track mechanism. Our office has concerns about the lack of visibility with respect to online tracking, profiling and targeting. If people don't know about such practices, they can't take steps to limit tracking."
Full Story

BEHAVIORAL TARGETING

Advocates: Device Fingerprinting Easier To Track Than Cookies (March 22, 2011)
Device fingerprinting technology now allows advertisers to specifically identify connected devices such as computers and smart phones. When devices send or receive data, they transmit pieces of information about their properties and settings that can be pieced together to form a unique "fingerprint" for that device, ClickZ reports. This concerns privacy advocates, as a device's fingerprint is more persistent than a Web-tracking tool such as a cookie. "You don't have any control over them, or at least not the same kind of control you do over cookies...That makes fingerprinting a serious privacy threat," said Peter Eckersley of the Electronic Frontier Foundation.

ONLINE PRIVACY

RIM Faces Gov’t Challenge on Corporate E-Mail (March 18, 2011)

An ongoing struggle between Research In Motion (RIM) and the Indian government over access to communications on RIM's BlackBerry service may come to a head this month. India has given RIM a March 31 deadline to hand over encryption keys to its corporate BlackBerry e-mail service, reports Digital Trends. Last year, RIM provided the government real-time access to its instant messenger service but has maintained that there is no back door into the corporate e-mail service. India is not satisfied with that response and says it will ban BlackBerry services in the country if it cannot monitor user communications. The government is concerned that terrorists could use the network to plan attacks, while privacy advocates say allowing government access could amount to stifling free speech and more.
Full Story

DATA LOSS

Lost Hard Drive, Work Responds (March 18, 2011)

The recent loss of a hard drive at Covenant Health has triggered Alberta Information and Privacy Commissioner Frank Work to voice his frustration with personal data losses, saying, "I'm perplexed as to how we motivate people to obey and follow all these security rules and policies we have in place." The hard drive, which contained images, names and hospital ID numbers of 233 patients, went missing during a move on January 17, reports the Edmonton Sun. President and CEO of Covenant Health Patrick Dumelie said that the files were not stored according to policy. He believes there is little risk of identity theft due to the loss.
Full Story

DATA LOSS

Medical Marijuana Users Outed in Breach (March 18, 2011)

A Toronto man who received in the mail two pages of personal information about patients who had been in contact with Health Canada's Marihuana Medical Access Division will submit a complaint to the privacy commissioner, National Post reports. A Health Canada spokesperson indicated that they were "aware of an incident involving the potential disclosure of personal information" and that they "have taken immediate steps to investigate this occurrence." The man who received the information, which included full names, addresses, phone numbers and condition details, described the breach as "unprofessional."
Full Story

PERSONAL PRIVACY

Opinion: VA Breach Reveals Sloppiness (March 18, 2011)

An editorial in the Winnipeg Free Press says the Department of Veterans Affairs' (VA) mishandling of Canadian Forces veteran Sean Bruyea's medical information and the subsequent investigation "reveals an astonishing degree of sloppiness and ignorance, particularly with regard to senior officials who should have known better." The author describes the VA's explanations for the abuse--which included a lack of emphasis on the importance of data privacy within the department--as "lame and inadequate." VA employees are now being trained on privacy rules, and the author encourages all branches of government to follow its lead. "Fortunately," says the author, "the case was so serious that the privacy commissioner has decided to conduct a more thorough investigation."
Full Story

PRIVACY

Cavoukian Partners with Arizona State on Whitepaper (March 18, 2011)

Ontario's Information and Privacy Commissioner and Arizona State University's Privacy by Design Research Lab have released a new whitepaper on privacy protection for mobile technologies. Commissioner Ann Cavoukian highlighted the paper during the IAPP's Global Privacy Summit in Washington, DC, last week. The Roadmap for Privacy by Design in Mobile Communications lays out privacy responsibilities and practical measures for devices manufacturers, platform developers, network providers and application developers, among others. "This paper clearly demonstrates that Privacy by Design is not a conceptual abstraction or theoretical formulation," Cavoukian said. "Rather, Privacy by Design is an on-the-ground reality based on practical tools and viable solutions."
Full Story

ONLINE PRIVACY

E-Commerce Site Makes Changes After Users Complain (March 16, 2011)

As a result of privacy concerns voiced by a number of users, an e-commerce Web site has decided to stop publishing customers' purchase histories within user feedback posts. Etsy recently activated a "people search" tool allowing users to search for other users' names as a way to view purchases and recommendations. However, some users claimed they were not notified that their information would become public when they initially entered their full names on the Web site. Etsy has now disabled the feature and says it is considering further changes to protect buyer privacy, Ars Technica reports. In the future, the site may allow users to post purchases, but it would be "completely opt-in," executives said.
Full Story

PERSONAL PRIVACY

The Changing Meaning of “Personal Data” (March 16, 2011)

William Baker and Anthony Matyjaszewski explore the changing meaning of "personal data" in this preview article for the upcoming April edition of the IAPP member newsletter, the Privacy Advisor. The article includes a compendium of definitions outlining how the term is defined within data protection laws worldwide.
Full Story

SOCIAL NETWORKING

Study: Attitudes on Privacy Becoming Polarized (March 16, 2011)

According to a Ponemon Institute study, 58 percent of social network users feel their privacy is less important to them than it was five years ago, while 53 percent of non-users said it is more important, msnbc.com reports. Ponemon Institute Founder Larry Ponemon, CIPP, called the findings surprising, adding, "The fact is there's not a lot of complacency about privacy now. People are thinking about this." Privacy expert Alessandro Aquisti says one reason for the polarization may be that the more people use social networks, "the more costly it becomes for others (who aren't members) to be loyal to their views...That means some people's right to privacy is being rendered more difficult to protect precisely by the right of other people not to care about privacy."
Full Story

ONLINE PRIVACY

Microsoft Do-Not-Track Tool To Debut Tuesday (March 15, 2011)

Microsoft's newest version of Internet Explorer is set to release on Tuesday with a do-not-track tool to help Internet users "keep their online habits from being monitored." However, concerns persist as to whether self-regulatory approaches will work. The Wall Street Journal reports that Microsoft and Mozilla have adopted do not track in the wake of the Federal Trade Commission's recommendation for such tools, highlighting "the pressure the industry faces to provide people with a way to control how they are tracked and targeted online" with legislation being contemplated at the federal level. However, the report goes on to state, industry-based systems "will only work if tracking companies agree to respect visitors' requests," and to date, none have publicly agreed. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Working On-The-Go Could Pose Privacy Threats (March 15, 2011)

The ability to take work on the road via laptops, tablets and smartphones enabled for WiFi access is convenient, but these mobile offices are vulnerable to data breaches, The New York Times reports. According to a report by Symantec and the Ponemon Institute, such breaches are becoming more expensive. From leaving laptops in hotel rooms to using public WiFi to sharing information on social networks, experts detail the myriad risks to personal and business data. Prof. Betsy Page Sigman of Georgetown's McDonough School of Business suggests, "You want to be overly cautious, especially if you are around a lot of competitors." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

A Look at the “Right To Be Forgotten” (March 15, 2011)

The ramifications of a "right to be forgotten" online are explored in an internet evolution feature that looks at the call on both sides of the Atlantic for online privacy protection and, more specifically, the push in the EU for a right to "erase your Internet tracks forever." The report references a recent post by Peter Fleischer, noting that "anyone who has considered codifying such a right into law hasn't thought through the implications." The report goes on to consider the historical and legal implications of removing, for example, the online footprints of criminals. Ron Miller writes that "whether you can delete the content is not really the point. The real question is: Should you? And if you do, does this amount to censorship?"
Full Story

PERSONAL PRIVACY

Consumer Attitudes Explored (March 15, 2011)

In the first of a three-part series, msnbc.com technology correspondent Bob Sullivan talks to Larry Ponemon, CIPP, and Alessandro Acquisti about the large part of the population that claims to care about personal privacy but yet does not make efforts to preserve it. Ponemon says people, as "part of a large herd...take a 'the lion is not going to attack antelope' mentality," while Acquisti says between attitude and behavior there are many steps, and "it's not obvious what you should do to protect your privacy." Both experts also point to a sense of helplessness, a belief that privacy is lost anyway, and if you want to function in society--get on a plane, use a social network--you have to surrender to it.
Full Story

SOCIAL NETWORKING

Simons, NDP Resolve Access Debate (March 11, 2011)

A standoff between possible NDP leadership candidate Nicholas Simons and the NDP over whether the party has a right to his social networking passwords has come to an end. After a debate that drew the attention of BC Privacy Commissioner, Elizabeth Denham, Simons revealed that all his online networks are open and always have been, reports The Globe and Mail. Simons said he withheld this information because, "It's going to be an interesting public debate in terms of future requests." The NDP holds that its request is reasonable, but Commissioner Denham, speaking from the IAPP Global Privacy Summit, said though she's happy to see a resolution, she will continue to investigate, adding, "I wouldn't want this to be setting a precedent."
Full Story

PERSONAL PRIVACY

VA Gives Reprimands in Bruyea Case (March 11, 2011)

Veterans Affairs (VA) bureaucrats who inappropriately accessed the files of veterans' rights activist Sean Bruyea have been given written reprimands and three-day suspensions for their actions, reports The Globe and Mail. "It doesn't even come close to making government wrongdoing accountable," Bruyea said of the punishment. VA Minister Jean-Pierre Blackburn says mitigating circumstances make the punishments appropriate and that privacy wasn't a focus of the organization prior to the Bruyea incident. "I don't want to excuse what has happened, but it was part of the reality of the department at the time," Blackburn said. "We went as far as possible for the sanctions."
Full Story

PERSONAL PRIVACY

Statistician Discusses Household Survey (March 11, 2011)

While some legislators are pushing for a return to a mandatory long-form census, Chief Statistician Wayne Smith spoke before the Canada House of Commons this week, stating he will not know whether the new voluntary national household survey is an effective replacement until the results are reviewed later in the year, the Toronto Sun reports. The federal government made the long form voluntary after noting that such questions as "religion and the size of a person's home were invasive and should be optional." MP Carolyn Bennett, who introduced the proposal to return to the long-form census, has said that filling out the questionnaire does not mean such specific information as religious affiliation is linked back to individuals.
Full Story

RFID

Opinion: New Program is “Big Brother in a Licence Plate Renewal Sticker” (March 11, 2011)

An opinion piece in The Telegram explores a plan in St. John's for tracking devices used to monitor traffic as well as parking and speeding infractions. The committee considering putting the technology to use notes, "The information collected from the RFID tag is sent wirelessly to a data server and then forwarded to the appropriate agency. For example, if a car runs a red light at an intersection where there is an RFID reader, the car's information is collected, via the RFID tag, and forwarded to the local police department so that a ticket can be issued." The opinion piece references privacy concerns and the need for "changes to existing legislation to accommodate the technology."
Full Story

 

HEALTHCARE PRIVACY

Opinion: Cloud Improves Patient Privacy (March 11, 2011)

There is little doubt that patient care will improve as hospitals gradually move electronic medical records (EMRs) to the cloud, opines Anthony Wright in itbusiness.ca. Wright says the cloud offers lifesaving benefits because the EMRs it stores allow for physician and hospital patient information sharing and improves privacy and security by preventing files from being stolen, misplaced or accessed in the way that paper files could be. But Wright cautions that privacy protection protocols must be addressed. "There will be information from the public cloud that people will want in EMRs. The question yet to be answered is who will manage and govern data privacy, and how?
Full Story

STUDENT PRIVACY

ICO Says School Board Survey OK (March 11, 2011)

The Office of the Information and Privacy Commissioner of Ontario says an Ottawa-Carleton District School Board survey is "necessary to the proper administration of a lawfully authorized activity," and the board gave parents and students adequate notice, reports the Ottawa Citizen. The OIPC investigated the survey--which asks questions ranging from academic abilities to cultural backgrounds--after receiving complaints about the lack of anonymity and potential use of the information, among others. Board executive officer Michele Giroux said the information will not be accessible by staff members. "We're never using the survey to react to individual student situations; we're collecting the information from individual students so that we understand our student population as a whole."
Full Story

DATA LOSS

Employee Terminated for Accessing Files (March 11, 2011)

Central Health has announced that it has terminated an employee for inappropriately accessing patient files. The Telegram reports that the employee accessed at least 80 reports on at least 19 people over a two-and-a-half year period. The health authority is in the process of notifying affected individuals, and Central Health's CEO said of the firing, "If we are going to be successful in protecting the private and confidential information of our client, we must enforce our policies." In 2010, Central Health made privacy training mandatory for every employee and recently hired a privacy manager and privacy analyst in order to better protect patient information.
Full Story

ONLINE PRIVACY—U.S.

Web Data Miners Strike it Rich (March 11, 2011)

In a feature for TIME Magazine, Joel Stein writes of the ways data-mining companies are able to amass rich stores of information about Web users. "I've gathered a bit of the vast amount of data that's being collected both online and off by companies in stealth--taken from the Web sites I look at, the stuff I buy, my Facebook photos, my warranty cards, my customer-reward cards, the songs I listen to online, surveys I was guilted into filling out and magazines I subscribe to," he writes. Stein details what he describes as a multibillion-dollar industry based on consumers' personal information and examines the push at the federal level for regulating the collection, storage and use of such data.
Full Story

ONLINE PRIVACY

DPAs, Others Weigh “Right To Be Forgotten” (March 11, 2011)

Across borders, discussions are in full swing over the dichotomy between the Internet's inability to forget and the call for a "right to be forgotten." In a Forbes report, Kashmir Hill notes, for example, that just such a right "has been affirmed by the Spanish DPA," which recently called for Web sites to delete "inaccurate or out-of-date links" from searches. Meanwhile, Google Global Privacy Counsel Peter Fleischer writes, "More and more, privacy is being used to justify censorship. In a sense, privacy depends on keeping some things private, in other words, hidden, restricted or deleted. And in a world where ever more content is coming online, and where ever more content is findable and shareable, it's also natural that the privacy countermovement is gathering strength."
Full Story

PRIVACY

CDT Receives 2011 IAPP Privacy Leadership Award (March 10, 2011)

The Center for Democracy and Technology has received the 2011 IAPP Privacy Leadership Award. The annual award recognizes a global leader in the field of privacy and data protection. Presenting the honor this morning at the IAPP Global Privacy Summit in Washington, DC, IAPP Board of Directors Treasurer Brendon Lynch, CIPP, said the CDT "is at the forefront of efforts to keep the Internet open, innovative and free. They have consistently been a leading voice for free expression and privacy in communications and have fostered practical and innovative solutions to public policy and civil liberties." CDT President Leslie Harris accepted the award on stage with CDT staff members Justin Brookman, Jim Dempsey and Erica Newland and CDT Board Chairman Deidre Mulligan.
Full Story

Tracking Users’ Web Footprints (March 7, 2011)

A feature in The New York Times explores Web sites that track users' browser history for public viewing, questioning whether individuals will choose to share such information, which can range from visits to online dating and banking sites to exploring medical conditions, and pointing to the assurances site developers are making about privacy. "At all of these tracking sites, developers say they take privacy very seriously," Austin Considine writes in the report, adding, "their success will ultimately be predicated on trust." The developers point to such safeguards as not sharing secure links and providing options for disabling tracking. The founder of one such site suggests they make users more aware of online privacy, noting, "If we're not following you, no matter what, somebody else is." (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING

Fingerprinting To Supplant Cookies? (March 4, 2011)

Several startups are experimenting with tracking technologies that could supplant cookies as behavioral targeting mechanisms, ClickZ reports. Device fingerprinting operates by tracking mobile phones, PCs, TVs and cars using unique identifiers. Based on the device's properties and settings, fingerprinting allows advertisers to link to and track the device and transmit messages based on activity. It's easier to opt out of fingerprint tracking than cookies, developers say; because the device's fingerprint lasts as long as the device itself, opting-out must only happen once. In addition, the developers say, the new technology already complies with do-not-track principles because users can "opt out of both tracking and targeting independently."
Full Story

BEHAVIORAL TARGETING

Study: Data Anonymity Changes Internet Users Minds (March 3, 2011)

MediaPost reports on a PubMatic study that asked about 500 Internet users how they feel about advertisers tracking their online activities. The study found that the anonymity of the data and how the data is used matters to respondents. Once respondents understood that only anonymous data was used for ad targeting, 40 percent changed their response from disapproving of the practice to approving of it. PubMatic's vice president of marketing said, "Everyone knows the user's privacy is paramount and that we provide a service to them. Understanding the how and the why changes everything."
Full Story

DATA PROTECTION—CANADA

Government Orders Grinding Machine for Data Purge (March 1, 2011)

The Canadian Press reports on the federal government's order for a large-scale grinding machine that will destroy data that's been stored on discarded media to be sure that it's "reliably overwritten." Privacy Commissioner Jennifer Stoddart reported last year that three government agencies had been discarding old cell phones at the Public Works Department without purging the data first. The Royal Canadian Mounted Police and Communications Security Establishment both issue guidelines on destruction of government data, however. A public works spokesman said that besides ensuring the data will be permanently destroyed, the onsite grinder will keep data from being "transported off-premises, which also reduces the risks of unauthorized disclosure."
Full Story

ONLINE PRIVACY

Headlines Inspire Opt-Out Technologies (February 28, 2011)
Concerns about privacy have prompted the creation of two start-ups that aim to provide online users with more choice. Following the news of a privacy breach at Facebook, a former Google engineer created a piece of software that disabled features that track browsing history, The Wall Street Journal reports. Within two weeks, 50,000 users downloaded the free application. Engineer Brian Kennish said he's since left Google so that he could create "Disconnect"--software to work with a wider array of sites' tracking devices or "widgets." The software also disables search engines from tracking users' Web movements. Meanwhile, a 19-year-old college student has started a company that allows users to opt out of tracking by 100 companies. (Registration may be required to access this story.)

ONLINE PRIVACY

Companies Take Steps To Protect Privacy (February 28, 2011)

Internet companies are taking steps to address calls for stronger online protection for Internet users, The Wall Street Journal reports. Most recently, both Microsoft and Facebook have "moved to beef up and clarify their efforts around the thorny issue of online privacy," the report states, describing Microsoft's move to add a do-not-track tool to its services and Facebook's new draft of its privacy policy with more user-friendly information headings. "The new policy is much more of a user guide to how to manage your data," said Jules Polonetsky, CIPP, of the Future of Privacy Forum, which was consulted by Facebook. "You might actually want to read this thing." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Start-Ups Capitalize on Data as Currency (February 28, 2011)

Entrepreneur Shane Green's company allows people to personally profit from providing companies with their personal data, which he says has become "a new form of currency." His company is one of about a dozen start-ups aiming to capitalize on privacy as marketers increasingly rely on personal data for targeted ads, The Wall Street Journal reports. One London real estate developer now offers to sell people's personal information on their behalf and give them 70 percent of the sale, the report states, while others offer products to help block online tracking or charge to remove users from marketing databases. One entrepreneur said while "privacy" was a hard sell as of two years ago, investors are now quick to jump at opportunities. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Governing Body Accepts Microsoft Tracking Proposal (February 25, 2011)

The World Wide Web Consortium (W3C), the governing body for HTML5, has accepted Microsoft's tracking opt-out proposal to protect consumer privacy, PCWorld reports. Microsoft's Tracking Protection allows users to choose not to be tracked on the Web by blocking the content that does the tracking, the report states. Internet Explorer's corporate vice president, Dean Hachamovitch, said online privacy is a high priority for consumers and governments around the world. Ashkan Soltani, a privacy and security researcher, called Microsoft's release of the program "a great move" that demonstrates the company's recognition "that for this to work, you want both technology and policy to work in tandem."
Full Story

BIOMETRICS

Facial Recognition Credited with Stopping Identity Theft (February 25, 2011)

When it comes to identity theft, facial recognition is a useful tool, The Vancouver Sun reports. That is based on information from the Insurance Corporation of British Columbia (ICBC) that its two-year-old facial recognition program has helped stop fraudsters who have attempted to steal deceased children's identities for fake driver's licences or identity cards. Since putting the technology in place, the ICBC has investigated 600 such frauds, the report states, and many of those cases have resulted in convictions. Facial recognition allows ICBC to know "if somebody has a licence in another name, another licence in their own name or a prohibition on a licence," spokesman Adam Grossman said. "It's too early to know the cost benefits but we're catching some pretty serious cases."
Full Story

DATA PROTECTION

Opinion: Police Database Could Be Abused (February 25, 2011)

An editorial in The Calgary Herald calls for more public input and more oversight over a police database that is now the subject of an Alberta privacy commission privacy impact assessment. Built over the last five years, The Alberta Law Officers' Network (TALON) contains more information than the existing Canadian Police Information Centre, including "everything from 911 calls to speeding tickets," the report states. Civil liberties advocates have raised concerns about privacy implications and the potential for the database to be misused. "Giving increased powers to police must be done cautiously and with more than simply vague assurances that proper checks and balances are in place," the Herald states.
Full Story

DATA PROTECTION

Cavoukian: Smart Grid Privacy is Good for Business (February 25, 2011)

Instead of utility companies asking how much money it will cost them to incorporate privacy safeguards into smart grid plans, they should be asking how much money it will save them. That's according to Ontario Information and Privacy Commissioner Ann Cavoukian in an Intelligent Utility Q & A. Cavoukian says in the two-part series that protecting privacy will help utilities to gain consumer trust and avoid data breach incidents. Instead of arguing whether the utility or the customer owns utility data, the terms "custody" and "control" should be used, she said, adding that since the utility has custody of the data, it has "obligations to protect it."
Full Story

PRIVACY LAW

Online Juror Vetting: Muddy Waters for Courts (February 25, 2011)

Law firms are increasingly using social networks and online searches to build extensive juror profiles, causing regulatory and privacy concerns. Reuters reports that lawyers are hesitant to discuss Internet vetting, partly because they aren't sure of the rules surrounding the practice; "It's like the Wild West," said a U.S. attorney. A May 2009 U.S. court case shows a judge barring a lawyer from Googling prospective jurors in the courtroom because the other lawyers had not brought laptops, but the decision was overturned by an appellate court, stating, "Internet access was open to both counsel--even if only one of them chose to utilize it."
Full Story

ONLINE PRIVACY

The Transparency-Privacy Balance Online (February 25, 2011)

Kris Kotarski, writing for The Calgary Herald, shines Louis Brandeis's principle of sunlight being the best disinfectant onto the Internet. While governments and corporations gain greater abilities to track and monitor the public online, Kotarski writes, the public has a new and broad-reaching tool for researching and "'enforcing' transparency among powerful organizations." According to Kotarski, privacy rights and anonymity are important ballast for ever-growing technology that "tilts the balance away from individual privacy." He writes, "The technologies available and the capabilities that they bring will undoubtedly continue to evolve, but it is crucial to decide on how our cultural and legal norms should evolve along with them."
Full Story

PRIVACY LAW—EU

European Council Calls for Cost Assessments on Proposed Changes to Directive (February 25, 2011)

Daily Dashboard Exclusive

The European Council has shared its opinion on the review of the European Data Protection Directive. During meetings yesterday and today in Brussels, council officials expressed general support for the review, while also outlining areas of concern and further study. Patrick Van Eecke of DLA Piper in Brussels told the Daily Dashboard that while the council generally supports the review, "it seems to be concerned about costs of compliance." The council has advised the European Commission to conduct cost analyses of the proposed changes before actually making them. The council also made recommendations concerning minors, categories of "sensitive data" and the right to be forgotten, among others.
Full Story

PRIVACY LAW—CANADA

How Much Privacy Should We Expect at Work? (February 23, 2011)

Any electronic correspondence sent at the workplace should be considered about as private as a postcard. That's the message from the head of Quebec's Privacy Commission, Jean Chartier, who recently advised that a "computer screen is not a wall that you can hide behind." A case set to unfold this week before Montreal's city council illustrates the lingering question surrounding how much privacy an employee can expect at work, The Montreal Gazette reports. A city employee claims to have been spied upon by officials who say they investigated the employee based on allegations of misconduct. Employees must work within the employer's guidelines, Quebec's privacy commission warns.
Full Story

ONLINE PRIVACY

A Gift With a Price? (February 23, 2011)

According to Andrew McAfee, principal research scientist at MIT's Center for Digital Business, an iTunes gifting policy may violate the U.S. Video Privacy and Protection Act which bans the disclosure of rental records without customer consent. The iTunes Store allows users to give up to 100 songs to a person using only the recipient's e-mail address and then notifies the giver if that person has duplicates of any of the songs in their playlist, reports PCWorld. McAfee points out that e-mail addresses are often easy to guess, and Apple doesn't require users to log in to their account or give payment card information to use the service. "This strikes me as problematic," McAfee wrote, adding that scanning a person's playlist could take a while, but the process could be automated.
Full Story

ONLINE PRIVACY

Denham: Privacy Remains a Social Norm (February 18, 2011)

Speaking before a standing-room-only crowd at the Privacy and Security Conference on Thursday, BC Privacy Commissioner Elizabeth Denham said despite the networked nature of our online world, privacy and data security remain key concerns for Internet users. "If privacy were indeed on the ropes as a social norm, we wouldn't see more countries adopting privacy laws, including serious proposals for such laws in both houses of congress in the U.S.," she said. The Victoria Times Colonist reports that Denham spoke of recent privacy investigations and the attention they have drawn from the mainstream media. Much work remains, she said, noting, "To get better services from companies or governments, we may have to give up some of our privacy, but how much is too much? That's the tricky public-policy question."
Full Story

ONLINE PRIVACY

Police Database Spurs Concerns (February 18, 2011)

Alberta's new $65 million Talon database to allow law enforcement officials to share information is being met with concerns from trial lawyers and civil liberties groups alike who believe it has the potential to violate privacy rights, The Vancouver Sun reports. Officials are calling for the government to publicize the privacy impact assessment (PIA) for the database to reveal how data on the site will be protected. However, that is not a requirement of Canadian law. As a spokesman for the Office of the Information and Privacy Commissioner's Office noted, conducting and sharing a PIA for a database such as Talon is "discretionary," although some government ministries volunteer to make them public.
Full Story

GEO PRIVACY

Privacy Concerns Limit Spread of Location Services (February 18, 2011)

In its four-part series on location-based services, The Globe and Mail explores what it describes as the "primary reason for resistance among some users to the location trend"--privacy concerns. The report references a Microsoft survey that found nearly half of all Canadians are concerned about sharing location information and "64 percent are specifically concerned with controlling which organizations have access to that information." Comparing those concerns to social networks' use of personal information, the report suggests that for businesses, "the most important first step...is to make sure the business and the customer are both clear on exactly what will and won't happen to the information collected."
Full Story

HEALTHCARE PRIVACY

Hospitals Testing Anonymization Software (February 18, 2011)

An Ottawa doctor has developed technology to protect patient privacy in the electronic health record environment, CBC News reports. Dr. Khaled El Emam, Canada Research Chair for electronic health information at the University of Ottawa, says his Privacy Analytics software makes patient records anonymous. "One has to be very careful in terms of sharing health information to make sure it's truly anonymous," Emam says, "so that we can make that available for all the good things you can do with medical data." The software is being tested in Ontario hospitals.
Full Story 

PRIVACY LAW

Opinion: Awarded PIPEDA Damages Could Open Floodgate (February 18, 2011)

After the Federal Court of Canada's decision to award damages for the first time under the Personal Information Protection and Electronic Documents Act (PIPEDA), it "will be interesting to see whether this case opens a floodgate of litigants seeking damages" opines attorney David Canton in the London Free Press. A judge ordered Transunion of Canada last December to pay $5,000 in damages to a Calgary man after it reported inaccurate personal information about him to a bank in connection with his loan application, resulting in it being denied. The court decision was based on the credit bureau's disclosure of inaccurate information and its failure to "rectify the problem in a timely manner."
Full Story  

RFID

W. Kelowna Dumps Trash Program, Again (February 18, 2011)

Citing privacy concerns, the West Kelowna council voted once again to opt out of the region's RFID trash management system, reports Kelowna Capital News. The system aims to identify and penalize people who dispose of contaminants along with their yard waste materials by linking trash bins to addresses. Council members said they want more controls and regular monitoring of the security of the data collected, noting that "the district is being asked to pay a fee for a program that infringes on the rights" of its citizens. And West Kelowna Mayor Doug Finlander said of the program that he continues to "have concerns over whether this is effective."
Full Story

DATA LOSS

Patient Data Found in Hospital Parking Lot (February 18, 2011)

The Office of the Information and Privacy Commissioner of Ontario has required St. Thomas Elgin General Hospital to investigate how a schedule containing patients' personal information was found in the hospital parking lot. A London Free Press report states that the form included 97 patients' names, addresses and reasons for visiting the hospital and OHIP numbers for at least 15 of them. The hospital has sent letters to all those affected apologizing and telling patients how to check if their OHIP numbers have been used inappropriately. According to the report, the hospital does not believe there was any malicious intent in removing the document from the building and will be handling this information electronically from now on.
Full Story

DATA PROTECTION

PCI Council Launches Training Program (February 18, 2011)

The PCI Council today begins its series of training programs intended to educate practitioners on Payment Card Industry Data Security Standards (PCI DSS). Council General Manager Bob Russo told Info Security that the courses "cover all PCI basics, including how the payment system operates straight through to how PCI works and why it is important to be compliant." Offerings include in-person sessions as well as online training, and according to Russo, there will likely be supplemental guidance throughout the year. Version 2.0 of the PCI DSS went into effect last month, and merchants have one year to comply with the new standard. "We can say confidently that (PCI compliance) is the best defense you will have against a breach, but by no means is this the ceiling," said Russo.
Full Story

PRIVACY LAW

G8 May Have Privacy Focus (February 16, 2011)
Following up on its efforts in October to move toward the goal of adopting "an international binding legal instrument harmonizing the protection of privacy," France has announced its intent to bring the world's Internet leaders to the G8 Summit in May. An announcement from France's Commission nationale de l'informatique et des libertés (CNIL) suggests that including privacy on the agenda for the G8 "would mark a critical milestone in the protection of privacy against the development of digital technologies." Despite the continual exchange of data across borders and the prevalence of biometrics, geolocation and surveillance, the CNIL points out that "there is no globalized legal answer, and the levels of privacy protection are disparate."

ONLINE PRIVACY—CANADA

Report: Lottery Site Privacy Problems Fixed (February 16, 2011)

An online lottery site did not adequately protect users' privacy when it was launched, an investigation has determined, but the issues have since been addressed, The Vancouver Sun reports. British Columbia Information and Privacy Commissioner Elizabeth Denham completed an investigation into BC Lottery Corp.'s PlayNow.com, which experienced "data crossovers" last summer that allowed users to see such personal information as credit card information from other users. Announcing the investigation's findings on Tuesday, Denham noted the security gaps were not directly responsible for the data crossovers, the report states, and concluded the corporation has "since taken steps to address the problem and the site now adequately protects users' privacy."
Full Story

DATA LOSS

Dating Site Hacked, Names and Passwords Exposed (February 11, 2011)

The online dating site eHarmony has announced that a hacker used a vulnerability to access the usernames, e-mail addresses and passwords of users of its informational site eHarmony Advice. CNET News reports that the Krebs on Security blog first reported the vulnerability and soon after found eHarmony data offered for sale on an online marketplace for hacked data. The company says it has fixed the vulnerability and is notifying affected customers and suggesting that they change their passwords. "At no point during this attack did the hacker successfully get inside our eHarmony network," the company said in a blog post. The company has not released the number of users affected, but says it represents less than .05 percent of eHarmony's 33 million users.
Full Story

PRIVACY LAW

Commissioner: Info Sharing Breached Law (February 11, 2011)

Information sharing between energy company Powerstream and the city of Vaughan violated the Municipal Freedom of Information and Protection of Privacy Act, Ontario's information and privacy commissioner has ruled. The two entities stopped sharing citizen data after a complaint was lodged last year by a city hall watchdog who was concerned that residents' personal information was being misused, York Region reports. The power company had been sharing the information with the city since 2005. The commissioner's office is satisfied that the information sharing has stopped and therefore did not include recommendations in its seven-page report.
Full Story

DATA LOSS

Dickson: Breaches Need Stiffer Penalties (February 11, 2011)

Saskatchewan Privacy Commissioner Gary Dickson told The Mercury that stiffer penalties are needed for people and organizations responsible for breaches such as the recent one at Sun Country Health Region, where an employee inappropriately accessed patient prescription data. Dickson said that while the health region hasn't disclosed the employee's punishment in this case, he fears weak penalties are sending a bad message, and the Ministry of Justice is not backing stronger actions when health regions seek them. "If the penalties are light for breaches of confidentiality, then curiosity often overcomes training," Dickson worries. With many employees having access to electronic health records, the message and the punishments need to be stronger, he says.
Full Story 

PRIVACY LAW

Info-Sharing Plans Anticipated Privacy Concerns (February 11, 2011)

The Toronto Star reports on negotiations between the U.S. and Canada that would create a single security ring around the perimeter of both countries and would allow for greater information sharing about Canadians with the U.S. According to a document prepared during negotiations last fall, officials anticipated that Privacy Commissioner Jennifer Stoddart and the Council of Canadians would challenge the plan. The document therefore noted as a strategy that officials maintain an ongoing engagement with Stoddart and that the government stress that it values and respects the countries' "separate constitutional and legal frameworks that protect privacy, civil liberties and human rights."
Full Story

PRIVACY LAW

Public Salaries Are Private Information (February 11, 2011)

Quebec's new access and privacy commissioner has suggested he might recommend more transparency for public-sector salaries when he submits the commission's five-year review to the government in June, The Ottawa Citizen reports. Public-sector salaries are considered personal information in the province, and disclosure of such figures can result in fines ranging between $200 and $2,500. Senior managers' salaries may be disclosed but can take up to 30 days to process after a request is made. Supreme Court decisions have upheld the decision to keep such information private, which Privacy Commissioner Jennifer Stoddart has called "a direct challenge to our collective will to go toward the greatest possible transparency of the state."
Full Story

TRAVELLERS’ PRIVACY

Agency: Don’t Post Vacation Plans (February 11, 2011)

Canadians should abstain from posting information to their social networking profiles about their vacation plans. That was the warning from the Canadian Anti-Fraud Centre, which said that posting vacation plans on Facebook and Twitter leaves individuals vulnerable to identity fraud and home robberies, reports the Toronto Star. Thieves sifting through individuals' social media pages may also use the information to send a deceptive e-mail to family and friends claiming that they've "run into trouble overseas" and need funds, the centre warns. A CEO specializing in private home rentals says its online users are encouraged not to use real names to protect themselves and suggests privacy settings should restrict strangers' access to location-based posts.
Full Story

ONLINE PRIVACY

Schwartz Discusses the Impact of Choice on Privacy (February 8, 2011)

Barry Schwartz, author of The Paradox of Choice: Why More is Less and professor of social therapy and social action at Swarthmore College, shared his insights on the intersection of choices and privacy with the Privacy Advisor. "I think the main task facing organizations that worry about Internet privacy is to figure out a 'default' level of privacy that enables people to benefit from what the Web makes available and not be tortured by it," he explained. Schwartz, who will be a keynote speaker at the IAPP Global Privacy Summit in March, said he will be discussing "how too much choice produces paralysis rather than liberation, leads to bad decisions and reduces satisfaction with even good decisions."
Full Story

PRIVACY—CANADA & U.S.

Border Security Pact May Incite “Alarm Bells” (February 4, 2011)

Canadian Prime Minister Stephen Harper and U.S. President Barack Obama are meeting today in Washington, DC, where they are expected to sign a border security agreement that would enable greater information sharing between the two governments. The Toronto Star reports that a draft of the agreement called for a greater exchange of law enforcement information and more cooperation when it comes to verifying travellers' identities. Some in government have criticized the Harper government for not inviting a public debate on the topic, while others have speculated that the deal's associated privacy concerns will make "alarm bells go off."
Full Story

SURVEILLANCE

Report Recommends Continuing Calgary CCTV (February 4, 2011)

A report to council recommends that surveillance cameras installed in Calgary remain in place despite the concerns of the province's privacy commissioner. In 2008, council approved the installation of 16 closed-circuit television cameras in high-crime areas of the city. Footage from the cameras was examined 93 times in the past two years, and, according to the report, the public and businesses support their use. Last July, Privacy Commissioner Frank Work said that the decline in crime should have the public questioning the need for the cameras, saying, "If we are frightened by the thought of crime, we are more willing to give up privacy and other civil liberties if we think it will make us safer." The report did not recommend expanding the system.
Full Story

PRIVACY

Denham Looking into BC Gov’t Computer Crash (February 4, 2011)

The Times Colonist reports that BC Information and Privacy Commissioner Elizabeth Denham has asked to review the government's final report on a computer crash that disabled its system. Provincial officials say computer technicians making normal upgrades to the system caused Monday's crash when they inadvertently generated a large amount of traffic to the network, the report states. All government Web sites, the employee Intranet and e-mail servers were affected. Experts have ruled out an attack by hackers and say no personal information was compromised.
Full Story

TRAVELLERS’ PRIVACY

Opinion: Make Scanners Mandatory (February 4, 2011)

Pam Frampton, story editor for The Telegram, shares her side of the airport body-scanner debate in an op-ed saying, "I'm all for personal privacy, but in this case I think it's trumped by public safety." She would like to see mandatory body scanning for all passengers and crew. The way things are now, says Frampton, "even if you've been scanned, not all of your fellow passengers will have been, and where's the reassurance in that?" Frampton acknowledges the concerns voiced by Privacy Commissioner Jennifer Stoddart and opponents of the machines but notes that the Canadian Air Transport Security Authority says it has taken steps to address privacy concerns.
Full Story

TRAVELERS’ PRIVACY—U.S.

TSA Deploys New Body Scanners (February 4, 2011)

The Transportation Security Administration this week debuted software designed to make airport body scanners less invasive, The Washington Post reports. The software creates generic body images and displays any detected anomalies in a red outlined box around the specific area of concern. The software will be incorporated at Reagan National Airport in Washington, DC, and in Atlanta, the report states, and could eventually land at all 78 airports currently using body scanning technology. "We believe it addresses the privacy issues that have been raised," said TSA Chief John Pistole. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING—U.S.

Fake Dating Site Mines Profile Pictures (February 4, 2011)

The world's largest social networking site is "not amused" that two artists gathered public profiles of more than a million of its users to create a fake dating Web site, the San Francisco Chronicle reports. "Users can search based on nationality, traits like 'easy going' and gender or can simply enter a name and see if they're in the database. When users click a result to 'arrange a date,' they're taken to the person's public Facebook profile," the report states. The site mined the profile data without Facebook's permission, the report states, and the company plans to "take appropriate action."
Full Story

PERSONAL PRIVACY

Cavoukian Releases Smart Grid Study (February 2, 2011)

Ontario Privacy Commissioner Ann Cavoukian today released a study on an Ontario utility's approach to smart meter deployment, which she says should serve as the model for all future smart grid investment, The Globe and Mail reports. Released at a California event, Operationalizing Privacy by Design: The Ontario Smart Grid Case Study is the third in a suite of papers on smart grid deployment. It describes the utility's policy to only include customer identification information in the company's own billing records and not share it with third parties unless consent is acquired for service offers. "Smart grid technologies have the potential to collect extremely detailed information about energy consumption in the home, which can lead to the unwelcome profiling of individuals," Cavoukian said.
Full Story

DATA LOSS—CANADA

Dickson: Breaches Need Stiffer Penalties (February 2, 2011)

Saskatchewan Privacy Commissioner Gary Dickson told the Leader-Post that the province needs to dole out stiffer penalties to individuals and organizations responsible for data breaches. The comments came on the heels of a breach at the Sun Country Health Region where an employee inappropriately accessed patient prescription data. Dickson said he was "impressed" with the investigation but noted privacy breaches involving electronic health records are serious matters and risk undermining public confidence in the system. "In a number of cases, termination would be the appropriate response," Dickson said, adding, "A minor fine or a suspension of a couple weeks without pay in my mind really minimizes what I think is a much more serious matter."
Full Story

ONLINE PRIVACY

Mozilla Offers Do-Not-Track Feature (February 1, 2011)
Mozilla has confirmed that its Firefox 4 Web browser will include a do-not-track system allowing users to opt out of targeted advertising, V3.co.uk reports. "This is just our first step," said Mozilla developer Sid Stamm. "We are exploring ways to empower users to have more robust and precise control over their data, and will share our progress on this as it is made." Google has added a similar feature to its Chrome browser, while Microsoft is exploring tracking protection to work consistently across browsers. The announcements come in the midst of questions about what "do not track" actually means, prompting the Center for Democracy & Technology to release a draft definition.

DATA PROTECTION—CANADA

MPs Pleased with Response to Privacy (February 1, 2011)

A House of Commons committee says the privacy of Canadians is being protected by online mapping applications like Google Maps, Winnipeg Free Press reports. The committee has been examining efforts by companies that build online maps using real pictures of homes and streets, such as Google and Canpages, the report states, and says both companies' policies about notifying individuals of filming and blurring identifying information are sufficient. Following Privacy Commissioner Jennifer Stoddart's investigation and subsequent recommendations about Google Street View cars' accidental collection of WiFi data, MPs now say they are "cautiously optimistic" that Google is taking privacy more seriously since it hired a privacy director and introduced employee training. Stoddart had said today was Google's deadline for compliance. The committee, however, said it has concerns about companies not considering privacy in the development phase of new technologies.
Full Story

DATA PROTECTION

Study: Compliance Saves Money (February 1, 2011)

A benchmark study conducted by the Ponemon Institute and sponsored by Tripwire has shown that investing in IT and security compliance can save companies money over time. Bank Info Security reports that through interviews with 160 IT practitioners across a broad range of industries, the study found that companies that review and maintain compliance with security standards spend an average of $3.5 million yearly, while the cost of noncompliance came in at $9.4 million--due mostly to business disruption and loss of productivity, according to the researchers. Tripwire's Rekha Shenoy noted that, in terms of compliance reviews, "PCI was the one that was top of mind across all industries, because they all take card payments."
Full Story

SOCIAL NETWORKING

Advocates Not “Liking” Ad Plan (January 31, 2011)

While a new feature on the world's largest social network is being seen as potential gold for advertising, privacy advocates and some users are raising concerns, USA TODAY reports. The new advertising format uses Facebook members' "likes" and other online actions to create promotional content in the form of "Sponsored Stories," which "became available for large brands to buy last week and is being rolled out over the next few weeks to Facebook's more than 500 million members." The Electronic Frontier Foundation is calling for an opt-out option for users. "Any time they make a change, people react, especially if there is a commercial element," says Future of Privacy Forum Director Jules Polonetsky, CIPP.
Full Story

ONLINE PRIVACY

Data Privacy Day Brings Words of Caution (January 28, 2011)

On the eve of Data Privacy Day, Privacy Commissioner Jennifer Stoddart issued a statement urging individuals to remember to protect their personal information when sharing online. "There are nearly two billion people now using the Internet," Stoddart noted in a message about Data Privacy Day. "That's two billion people who can potentially access information about you with the click of a button." Both Stoddart and BC Information and Privacy Commissioner Elizabeth Denham shared insights on how the prevalence of personal information online affects privacy in ways that are spurring concerns. The goal of the annual Data Privacy Day is to help raise awareness about the impact of technology on privacy rights and personal information.
Full Story

 

SOCIAL NETWORKING

Work: Employee Guidelines a Good Idea (January 28, 2011)

Alberta Privacy Commissioner Frank Work is warning that employees who use social networks to complain about their workplaces "can't necessarily expect privacy legislation to prevent their employer from using those remarks against them," the Calgary Herald reports. The city's new guidelines governing social media state, "The line between your public and private lives is blurred in online social networks...Should it be determined that your social media reputation may be adversely affecting the city's reputation, the decision may be made to remove you as an authorized spokesperson on city-related issues." Work said having guidelines is a good idea, the report states, and advises exercising good judgment when it comes to posting online.
Full Story

PRIVACY LAW

Buzz Lawsuit Filed (January 28, 2011)

E-Commerce Times reports on a class-action suit filed by a Manitoba resident over Google's social networking service, Buzz. The lawsuit comes in the wake of Google's settlement in the U.S. of a Buzz class-action suit for $8.5 million. The lawsuit cites "unspecified damages regarding alleged problems stemming from Google's social networking and messaging tool," the report states. The suit contends that although Google told users that they had a choice, the company automatically activated Buzz for its Gmail accounts. Attorney Norman Rosenbaum called the issue "a breach of privacy... it automatically affected all of your followers. Even if you said you didn't want to have your e-mail list forwarded, it did it anyway."
Full Story
 

DATA LOSS

Medicine Centre Breach Could Affect 60,000 (January 28, 2011)

Ottawa's Bruyere Family Medicine Centre is alerting patients that some of their personal information may have been compromised after the theft of two computers, CBC reports. Though neither computer contained medical information, data on as many as 60,000 of the clinic's patients between 1971 and July 2006 may be stored on them, including names, dates of birth, street addresses and health card numbers. There is no evidence to suggest the information has been accessed or used inappropriately, and the incident has been reported to police and the privacy commissioner, the report states.
Full Story

PRIVACY

BC Commissioner Creates Advisory Board (January 28, 2011)

BC Information and Privacy Commissioner Elizabeth Denham has announced that she has invited six people from both the public and private sector to serve on an advisory board to help identify and address emerging privacy problems, CANOE reports. As most of her office's staff "are fully utilized resolving important access disputes and privacy complaints," Denham explained, "I want to enhance the office's other vital responsibilities, such as public education, policy work, research and providing expert guidance to public and private sector." The advisory board members include a former provincial privacy commissioner, two academics, a former assistant privacy commissioner, a privacy consultant and a former police complaints commissioner.
Full Story

SOCIAL NETWORKING

Advertisers To Have Access To Online Posts (January 28, 2011)

The Associated Press reports that Facebook users' posts may soon be retransmitted to their online friends as "sponsored stories" from advertisers. The feature, which will be based on users' current privacy settings, does not currently have an opt-out provision. "Involving users in advertisements without their consent has been a thorny issue for Facebook," the report states, quoting Marc Rotenberg of the Electronic Privacy Information Center's suggestion that the company is making money off users' names or likenesses without their consent. The practice is "subtle and misleading," Rotenberg said, recommending users object to the plan.
Full Story

ONLINE PRIVACY

Privacy as Competitive Edge (January 27, 2011)

The Wall Street Journal examines whether startup search engine DuckDuckGo's pledge to honor user privacy by not storing personal data or sending search information to other sites will provide a competitive edge against online search giants. The report poses the question, "Would you switch search engines for privacy reasons, or are other aspects of search more important to you?" DuckDuckGo's founder has said the company's goal is to appeal "to a non-negligible part of the population," adding he expects the site to see about 4 million searches this month, up from a typical 2.5 million per month before he publicized its privacy features. (Registration may be required to access this story.)
Full Story

SURVEILLANCE

Coming Soon: Cameras Everywhere (January 27, 2011)

USA TODAY reports on the ubiquity of digital sensors and the resulting "explosion of sensor data collection and storage." One chief technical officer predicts that sensors, already status quo in airports, subways, banks, ID cards and laptops, "will touch nearly every aspect of our lives." Privacy concerns need to be addressed before then, says privacy expert Christopher Wolf. "What's new is the capacity for databases to share data and therefore to put together the pieces of a puzzle that can identify us in surprising ways--ways that really could be an invasion of privacy," Wolf said. The article also discusses the potentially "chilling effect" of photo tagging.
Full Story

PRIVACY—CANADA

Stoddart Looks to Privacy Enforcement (January 26, 2011)

The Ottawa Citizen reports on Privacy Commissioner Jennifer Stoddart's first public lecture of 2011, where she "put the Canadian privacy and business communities on notice that she intends to use her new mandate to reshape the enforcement side of Canadian privacy law." During her talk at the University of Ottawa, Stoddart spoke of strategies to move organizations into better privacy compliance practices. Stoddart said enforcement reform is likely to focus on such factors as penalties for violations and empowering the Office of the Privacy Commissioner to "name organizations that violate the law," the report states.
Full Story

ONLINE PRIVACY

Search Engines Offer Opt-Out Plans (January 25, 2011)

Major media outlets are reporting on plans by Google and Mozilla to offer do-not-track options for their users. Google has announced its new "Keep My Opt-Outs" tool, which enables users of its Chrome Web browser to permanently opt out of online tracking, while Mozilla's new opt-out tool for its Firefox browser provides users with more understanding and control of how their personal information is being used by advertisers. A Federal Trade Commission spokeswoman discussed efforts by Mozilla, Microsoft and Google to provide do-not-track options. Meanwhile, MediaPost News reports that while the FTC is cheering such plans, "whether ad networks and online marketers will follow those preferences is far from clear."
Full Story

ONLINE PRIVACY

Opinion: Is There a Dark Lining in the Cloud? (January 25, 2011)

There are many benefits to cloud computing, but European Commissioner Viviane Reding questions, "is there a dark lining to the cloud?" In an opinion piece for The Wall Street Journal, Reding cautions, "Consumers who store data in the cloud risk losing control over their photos, contacts and e-mails. Data is whirling around the world: A UK resident who creates an online personal agenda could use software hosted in Germany that is then processed in India, stored in Poland and accessed in Spain." Describing the European Commission's commitment to privacy, she writes that the EU's data protection rules "have stood the test of time, but now they need to be modernized to reflect the new technological landscape." (Registration may be required to access this story.)
Full Story

DATA LOSS

Smartphone User Data Potentially Exposed (January 24, 2011)

A mobile application developer has warned of a data breach that could affect up to 10 million users, SC Magazine reports. Trapster.com says a hacker may have accessed user e-mail addresses and passwords and advises that users change their passwords. The company believes this was a single event and has rewritten the software code to prevent future attacks, it says. It is now notifying those potentially affected, though there is no evidence that the data has been used.
Full Story

DATA PROTECTION

Stoddart: Fining Powers May Be Necessary (January 21, 2011)

Privacy Commissioner Jennifer Stoddart says her office may need fine-levying authority in order to more effectively protect the privacy of Canadians, according to an article in The Wire Report. In a speech at the University of Ottawa's Centre for Law, Technology and Society on Wednesday, Stoddart said, "I am increasingly of the view that we may need stronger powers to be an effective privacy guardian for Canadians. Canada has become one of the few major countries where the data protection regulator lacks the ability to issue orders and impose fines." Editor's note: To learn more about the fine-issuing capabilities of privacy regulators worldwide, see the IAPP's 2010 Data Protection Authorities Global Benchmarking Survey. (IAPP member login required.)
Full Story

DATA PROTECTION

Commissioner Orders Retailer: Protect PII (January 21, 2011)

Alberta's privacy commissioner has ordered Staples Canada to better protect personal information, The Edmonton Journal reports. The retailer must now ask customers that bring a computer in for repair if the machine contains a hard drive and if they authorize any personal information to be destroyed or preserved if the company buys back the computer, the report states. The commissioner's order follows an investigation after the store bought back a computer but could not locate its hard drive when the customer requested it be wiped of PII. A spokesman for the commissioner said though the order is Staples-specific, "the message would be that we would like all companies that deal with computers to have similar policies and procedures in place."
Full Story

DATA LOSS

NS Officer To Investigate Alleged Breach (January 21, 2011)

Nova Scotia's privacy review officer has decided to launch an investigation into an alleged breach of confidentiality at the Workers' Compensation Board (WCB), The Chronicle Herald reports. The board allegedly mailed the personal information of one person--including social insurance number, birth date, address, phone number and medical record--to someone else. Privacy officer Dulcie McCallum said, "This is an important issue...This is people's personal health information." The WCB says that the information was not disclosed to anyone, according to the report, and a spokeswoman for the board welcomed a possible inquiry, saying, "We'll work with them to give them whatever they need."
Full Story

HEALTHCARE PRIVACY

Hospital Ordered To Examine PHI Protection After Breach (January 21, 2011)

Ontario Information and Privacy Commissioner Ann Cavoukian has ordered Ottawa Hospital to examine its rules and practices relating to personal health information following another electronic breach of a patient's medical records, the Ottawa Citizen reports. Cavoukian has found that the hospital "failed to comply with certain elements of a revised policy," the reports states, after asking the hospital to consider changes following a breach in 2005 that was "strikingly similar" to one recently investigated. Cavoukian has concluded, "the actions taken to prevent the unauthorized use and disclosure by employees in this hospital have not been effective" and fail to comply with a section of the Personal Health Information Protection Act.
Full Story

DATA PROTECTION

More Calls for Privacy by Design Expected (January 21, 2011)

As demonstrated across Canada recently, potentially privacy-invasive technologies are entering our everyday lives with increasing regularity. In recent weeks and months, Canadians have pondered the possibility of surveillance cameras on buses, radio frequency identification technology in trash bins and have witnessed the entrance of facial-recognition technology into casinos. Privacy is affecting what many view as "low tech" industries, writes Brian Bowman for the Winnipeg Sun. Bowman adds that we'll see more of this in the coming year and, accompanying it, we'll hear more calls for privacy by design, the embedding of privacy within such technologies.
Full Story

DATA PROTECTION

Cartmell: SGI Strikes Balance on Privacy (January 21, 2011)

In a StarPhoenix op-ed, the president and CEO of SGI responds to charges that his company collects too much personal health information. Saskatchewan Information and Privacy Commissioner Gary Dickson announced recently that the government auto insurer was "over collecting" information about claimants. Dickson said the company should revise its procedures. But CEO Andrew Cartmell says SGI collects the complete medical records of only a minority of customers who have filed complex injury claims. Cartmell adds that "SGI always asks customers for their consent to obtain medical records, and customers have the right to refuse."
Full Story

GENETIC PRIVACY

Controversial DNA Method: Could it Catch Criminals? (January 21, 2011)

DNA evidence has linked a single unknown man to three sex assaults in Vancouver, and police say he could be responsible for five more unresolved cases, CTV reports. Some say that a controversial DNA analysis, which helped to capture a murderer in the U.S., could potentially help BC police capture the suspect, but privacy advocates have lobbied against the method, which is legal in only two U.S. states. It involves finding "near matches" to the suspect's DNA sample in order to locate family members that may lead police to the suspect. Canada's Office of the Privacy Commissioner says the method has moral implications and at this point it would "not support it."
Full Story

DATA PROTECTION

Online Services Come with a Cost: PII (January 21, 2011)

The U.S. government's recent request for WikiLeaks users' personal information and communication highlight the challenge facing many individuals and brands online, opines Mitch Joel for The Montreal Gazette. The Internet serves as a business place and the companies operating on it need to make money, Joel writes. User data is the currency. The privacy policy you may have agreed to when signing up for a service is subject to change at any time and should be considered a "buyer beware" modality. There are lots of opportunities provided by online services, but they come at a cost, he says.
Full Story

SOCIAL NETWORKING

Facebook Suspends Third-Party Plans (January 21, 2011)

Facebook has decided to suspend its latest privacy policy modification, which would have enabled third-party applications to access users' addresses and cell phone numbers, reports the Inquirer. The company said it would protect users' personal information by only sharing it with third parties if the user explicitly granted permission to do so, but a Facebook spokesman this week said the company would "temporarily disable the feature" based on feedback that it could make people more clearly aware of the changes. Some have questioned how the third parties would use the additional data.
Full Story

ONLINE PRIVACY

Flash Fix is Important First Step (January 21, 2011)

The Wall Street Journal reports on efforts to improve privacy controls in Adobe's Flash video player after privacy advocates and regulators raised concerns that companies could use such technology to track Internet users. "So-called 'Flash cookies,' which are small files stored on a user's computer through the Flash program, have raised privacy questions because they are more difficult for users to detect and delete than regular cookies associated with Web browsers," the report states, noting that although Adobe's effort to simplify the program's settings is an important step, it "doesn't solve all the issues associated with this type of tracking," and other video programs can also track users. (Registration may be required to access this story.)
Full Story

DATA PROTECTION

Survey: PCI DSS Standards Necessary (January 21, 2011)

A new survey has found that the majority of IT security practitioners believe that the Payment Card Industry Data Security Standard (PCI DSS) is necessary for protecting cardholder information, SC Magazine reports. The Cisco survey polled 500 IT security decision makers in healthcare, finance, retail and education, a majority of whom said they were "very confident" they could pass an assessment today. The greatest challenge for PCI DSS compliance is educating employees about the proper handling of cardholder data, the report states. Respondents also indicated they expect "significantly increased spending" on PCI compliance this year.
Full Story

PRIVACY

Work Issues Annual Report (January 14, 2011)

Alberta Information and Privacy Commissioner Frank Work has issued his annual report for 2010. The report highlights key issues and laws and includes judicial decisions, statistical information, investigation reports and a breakdown of cases by legislation. An Edmonton Journal report references Work's opening message in the report, which includes a call for more transparency for the provincial government. Also in his message, Work looks at challenges for the year ahead, calling for his office to "mediate and adjudicate in a more timely fashion with the resources we have."
Full Story

BIOMETRICS

Cavoukian Lauds Casino Facial Recognition Plan (January 14, 2011)

Ontario Privacy Commissioner Ann Cavoukian has lauded a new facial scanning system to be installed in all 27 Ontario Lottery and Gaming Corporation casinos, hailing it as "the most privacy-protected system using biometric encryption in the world," reports the Toronto Star. The system aims to help self-professed problem gamblers stay out of casinos. Beginning in May, those entering an Ontario Lottery and Gaming Corporation casino will have their faces digitally scanned and their identities cross-checked with a database of people who have voluntarily banned themselves from casinos, the report states. The developers of the system's privacy component--University of Toronto biometric engineers--say their methods ensure no permanent link between a biometric template of a person's face and that person's private information.
Full Story

PRIVACY

Quebec’s Privacy Commissioner To Focus on Access (January 14, 2011)

The Montreal Gazette reports on the swearing in of Quebec's new information access and privacy commissioner, Jean Chartier, noting his focus will be on "access to government information and a preventive approach in privacy protection...informing people they are not obliged to divulge extensive private information just to join a video club, for online shopping or to join a social network." At his first news conference this week, Chartier said that when it comes to privacy, "This is your personal information. You should protect it." He has also said the commission's rulings must follow access and privacy laws as written or face having those decisions challenged in the courts.
Full Story

PRIVACY LAW

Guilty Verdict for Census Avoider (January 14, 2011)

A Saskatchewan woman has been found guilty of violating Canada's census law because she refused to answer questions that she said violated her right to personal privacy, CBC News reports. Sandra Finley had argued that questions related to her employment, sexual orientation and ethnic background, among others, were not the government's business. But a provincial judge ruled on Thursday that Finley's privacy rights were not violated by the requirement to fill out the 2006 long form, the report states. Finley faces up to three months in jail and a $500 fine. She will be sentenced on January 20.
Full Story

PRIVACY LAW

What Will Bill C-28 Mean to You? (January 14, 2011)

In a report for the Toronto Sun, David Canton explores the implications of the recently passed Bill C-28 anti-spam legislation, which is expected to go into force later this year. "If you think it won't affect you because you don't send mass e-mails trying to sell random products and don't infest other people's computers with spyware, you would be wrong," he writes. Canton explores the implications of Bill C-28 on commercial electronic messages such as instant messages, social media and even software updates. Potentially, he writes, "while the intention is to control what we all understand as spam and spyware, it has the potential to affect many things that we may not intuitively" consider as such.
Full Story

DATA LOSS—CANADA

Breaches Not Reported Publicly (January 12, 2011)

Infosecurity reports that Statistics Canada has experienced a number of recent data breaches that have exposed sensitive information and, while the cases were investigated, Statistics Canada failed to report the breaches publicly. "There have been a number of data breach cases of employees having their laptops containing confidential information stolen," the report states, noting at least two incidents where "employees left sticky notes with the passwords on their computers." The Office of the Privacy Commissioner has labeled a separate incident where employment records of 66 census takers and managers were left in surplus filing cabinets and sold at auction as "a serious matter."
Full Story

PRIVACY LAW—CANADA

Government Refuses to Release Contract (January 12, 2011)

Despite an order to do so by the provincial privacy commissioner, the BC government has refused to hand over the full, unedited copy of its $300 million contract with IBM to the Freedom of Information and Privacy Association (FIPA), the Times Colonist reports. An adjudicator had decided last November that the government must turn over the contract, as well. A spokeswoman for the Citizens' Services Ministry said it has turned over almost all of the 535-page contract, withholding only server names and network addresses to protect against hackers. "They are out there and they are smart," Citizens' Services Minister Mary MacNeil said. "In the end, security is paramount."
Full Story

SURVEILLANCE—CANADA

Bus Cameras Delayed Due to Privacy Concerns (January 10, 2011)

The Record reports on concerns about transit service plans to install surveillance cameras on Waterloo buses later this year. Grand River Transit has delayed installing the cameras due to complaints that the regional council hadn't consulted the public on the plans and that no surveillance policy existed, the report states. The council has since launched a public consultation and the transit service is reportedly developing policies on data retention and use. A spokesperson for the Office of the Information and Privacy Commissioner of Ontario said, "I think it's critical to have those policies in place before the cameras go live."
Full Story

PRIVACY LAW

Opinion: Utility Information Should be Considered Private (January 7, 2011)

Lawyer Bob Aaron opines on the Supreme Court of Canada's 7-9 decision that court evidence introduced based on a warrantless police search was permissible, the Toronto Star reports. The case involved a suspected marijuana home-grow operation. Calgary police, upon suspicion, asked the home's utility supplier to install a home-energy monitor without a warrant. The information was used in court to convict the home owner after police obtained a search warrant and seized significant amounts of marijuana and related grow-operation items. As smart meters that record home energy usage are increasingly installed in Canadian homes, Aaron writes, "police in this country can't simply go and seize electrical readings from local hydro suppliers."
Full Story

SOCIAL NETWORKING

A 2010 Privacy Review (January 7, 2011)

In a report for the National Post, Matt Hartley looks back on 2010 and the impact social networking has had on privacy. "Just a few years ago, I might have felt uncomfortable revealing quite so much of myself to the world," he writes, "But in the age of Facebook and Twitter, of Foursquare and Xbox Live, all of us--not just reporters--have a public profile, an online persona we place before the world." The year that was 2010, he suggests, may well be remembered "as the year the general public's understanding of privacy began to change." However, he notes, it has also been the year when social networks began to "get serious" about privacy.
Full Story

PRIVACY

A-to-Z Year in Review (January 7, 2011)

In the Ottawa Citizen, Michael Geist offers an A-to-Z year-in-review of technology law developments in 2010, a period he describes as "exceptionally active." Geist mentions the passage of anti-spam legislation, large fines for violators of do-not-call rules and Facebook, "which settled several privacy complaints with the privacy commissioner of Canada." He also highlights some of the year's most notorious rulings on alleged privacy violations, such as the Supreme Court's decision in Queen v. Gomboc regarding the privacy of electricity usage data. Geist is the Canada Research Chair in Internet and E-Commerce Law at the University of Ottawa.
Full Story

HEALTHCARE PRIVACY—CANADA

Commissioner: Insurer Collects Too Much PHI (January 6, 2011)

The Regina Leader-Post reports on Saskatchewan Information and Privacy Commissioner Gary Dickson's announcement that SGI, the government auto insurer, "has rejected his authority to investigate the complaints of three individuals injured in accidents over SGI's use of their personal health information." Although the decision has put limits on his investigation, Dickson has said there is clear evidence the insurer is "over collecting" personal health information, the report states, citing one case where a complainant said the company collected information on her daughter and the child's birth father. Dickson wants SGI to revise its procedures and is asking the legislature to amend the province's privacy laws related to the use of health information.
Full Story

SOCIAL NETWORKING—CANADA

Experts: “Design for Privacy” (January 5, 2011)

"Every business needs to listen to Ontario's Privacy Commissioner Ann Cavoukian and design privacy principles and practices into their operations," Don Tapscott and Anthony D. Williams write in a CTV News report, noting that is especially true for social networks. The report considers the importance of privacy in the world of social media, suggesting, "In the past we only worried about Big Brother governments assembling detailed dossiers about us. Then came what privacy advocates called Little Brother--corporations that collect data from their customers." The authors advocate Privacy by Design for all companies and urge individuals to be vigilant about what they do online.
Full Story

PRIVACY LAW—CANADA

Manitoba Man Files Buzz Lawsuit (January 5, 2011)

A Manitoba man has filed a class-action suit over alleged problems with the launch of Google's Buzz program earlier this year, The Vancouver Sun reports. Norman Rosenbaum, the plaintiff's attorney, alleges that even though Google told users they could choose whether or not to use the company's Buzz service, it automatically activated on users' Gmail accounts, the report states. "It's a breach of privacy," Rosenbaum said. "It automatically affected all of your followers. Even if you said you didn't want to have your e-mail list forwarded, it did it anyway." The suit is seeking unspecified damages, the report states.
Full Story

DATA PROTECTION

Most Info Sec Budgets Unchanged for 2011 (January 4, 2011)

The Great Recession may have lingering effects on information security plans in 2011, SC Magazine reports. That's according to a recent survey that found 36 percent of respondents expect their budgets for IT security projects and data leakage prevention efforts to increase in 2011, compared with 41 percent in 2010. The Guarding Against a Data Breach survey, conducted by SC Magazine, ArcSight and research firm CA Walker, polled 468 information security leaders. Sixty percent expect their budgets to remain the same. Concerns about damage to the brand and compliance demands are top drivers for security planning, the report states.
Full Story

PRIVACY—CANADA

Manitoba Hires Privacy Adjudicator (January 3, 2011)

The Manitoba government has appointed its first information and privacy adjudicator, CBC News reports. Based on input from citizens on how best to allow for information access while protecting privacy, the government appointed Ron Perozzo, Manitoba's acting conflict-of-interest commissioner, who will help resolve access and privacy complaints, the report states. Perozzo will be able to issue binding orders to the government, school divisions or regional health authorities that do not follow the ombudsman's recommendations.
Full Story