Canada Dashboard Digest

Are you sick of hearing about Heartbleed? If you are, you may want to skip some of the stories profiled in this week’s Dashboard Digest. If, however, you are like me, you might still be confused by the array of stories about the technical vulnerability, how it works and what damage it might have caused. I had to do a fair amount of self-study this week to prepare for an on-air interview with the CBC, and I must admit that the more I read about it, the more questions I had.

One thing is for sure: We work in an increasingly dynamic industry where things change faster than ever. What was once considered secure is actually not. Safeguards that you thought were good enough, aren't. I suppose that’s all the more reason the privacy professional needs tools like the Dashboard Digest—to try and stay on top of what’s going on.

With respect to the Heartbleed saga, we felt that you deserved even more opportunity to learn about it, so we have added a session to this year’s Symposium that promises to educate privacy professionals on exactly what they need to know about the vulnerability. I hope you can make it to Toronto if you're keen to learn more.

Somewhat overshadowed by Heartbleed were two rather significant decisions from Commissioners Denham and Cavoukian. Read on to learn more because these, too, are important events. 

Have a great weekend, and happy (Easter egg) hunting!

Kris Klein
Managing Director
IAPP Canada

Top Canadian Privacy News

PRIVACY LAW

Commissioner: Criminal Record Checks Illegal (July 27, 2012)

BC’s privacy commissioner says some government employees are being subjected to illegal criminal record checks, The Victoria Times Colonist reports. Information and Privacy Commissioner Elizabeth Denham’s office concluded an investigation this week, finding that “the government is collecting too much personal information on prospective candidates, conducting criminal record checks for too many positions and failing to properly notify employees.” Denham has said the government must make changes to remedy the problem within a reasonable time. The government has said that it “has a responsibility to ensure the citizens of British Columbia have trust and confidence in public service employees.”
Full Story

BIOMETRICS

Privacy Concerns Cited in DNA Exclusion (July 27, 2012)

The National Centre for Missing Persons and Unidentified Remains is slated to move forward next year but will not include DNA data, The Globe and Mail reports. Federal Minister of Public Safety Vic Toews said the government “accepted in principle” petitions asking for voluntary DNA inclusion in the databank but said the recommendation raises “a number of complex legal, privacy, financial and practical considerations.”
Full Story

PRIVACY LAW

Denham: First Responders Bill Impedes Privacy (July 27, 2012)

BC’s information and privacy commissioner says a law aimed at protecting first responders has a “serious impact on the privacy rights of individuals.” The Emergency Intervention and Disclosure Act allows paramedics to demand blood tests from accident victims in order to protect first responders from coming into contact with infected blood. But in a letter to Minister of Labour, Citizens’ Services and Open Government Margaret MacDiarmid, Privacy Commissioner Elizabeth Denham says government “should only contemplate a privacy intrusion of this nature where there is a significant demonstrated need.”
Full Story

PRIVACY LAW

BC Supreme Court: Councillor Breached Privacy Act (July 27, 2012)

Upholding a lower court ruling, BC Supreme Court Justice Selwyn Romilly dismissed an appeal by Prince George Councillor Brian Skakun, The Vancouver Sun reports. The lower court ruling found Skakun guilty of violating the province’s freedom of information and protection of privacy legislation when he leaked to the media confidential personnel data of the Royal Canadian Mounted Police, the report states. The ruling stated that Skakun, as an officer of the public sector, did not have right to a “whistleblower” defence.
Full Story

HEALTHCARE PRIVACY

Hospital Fires Employees for Privacy Invasions (July 27, 2012)

Eastern Health has fired five employees for breaching patient privacy after it was learned one employee “inappropriately and deliberately” accessed 122 patient files, CBC News reports. Six additional employees have been suspended following random audits. The health authority’s chief executive officer apologized to the affected patients this week. “When we identify a deliberate breach of patient privacy, we take action to discipline the offending employee. While the severity of the discipline is determined by the seriousness of the breach, there is zero tolerance for willful breaches of patient privacy,” the CEO said.
Full Story

DATA LOSS

Hard Drive Containing PII Goes Missing (July 27, 2012)

A hard drive containing the personal information of approximately 800 city of Ottawa pension recipients has gone missing, the Ottawa Citizen reports. Towers Watson was in the process of switching computer systems when the unencrypted hard drive—containing names, birthdates, social insurance numbers and pension amounts—went missing. The organization is offering individuals two years of free credit monitoring and has notified the Office of the Privacy Commissioner of Canada (OPC). OPC spokeswoman Anne-Marie Hayden said, “we are encouraged by the steps they are taking to minimize any risks to the privacy of Canadians.”
Full Story

ONLINE PRIVACY

Analyzing the “MAC and IP Address as PI” Debate (July 25, 2012)

In light of a debate during a U.S. Federal Communications Commission event in May, datagovernancelaw.com analyzes whether Media Access Control (MAC) and Internet Protocol (IP) addresses are personal information. Some experts assert they are not, while others disagree. The column queries, “Who is right? Why is it that we are still debating this fundamental issue?” Though MAC and IP addresses will rarely be considered personal information in and of themselves, “they are rich gateways to the collection and the accumulation of data points that can transform them into personal information,” the report states.
Full Story

PRIVACY LAW—CANADA

BC Commissioner Releases Annual Report (July 23, 2012)

In her annual report, BC Information and Privacy Commissioner Elizabeth Denham says information and privacy law is being undermined by the provincial government, reports The Victoria Times Colonist. Recently enacted legislation has eroded 20-year-old laws on privacy, Denham said, adding she is “very concerned.” Four bills that changed rules on animal health, ferries, emergency disclosure and PharmaCare worked their way “quickly through the legislature, and we had very little time to get our message to the ministries during confidential consultation; we are really concerned about that,” Denham said, adding this indicates perhaps “a lack of understanding throughout government in the principles and the legal basis of freedom of information and protection of privacy.”
Full Story

PRIVACY LAW

Estonian Hacker Gets Seven Years Behind Bars (July 20, 2012)

An Estonian man has been sentenced to seven years in prison for his involvement in a global hacking operation that saw the theft of tens of millions of payment cards, SC Magazine reports. A Long Island federal court sentenced Aleksandr Suvorov, who had pleaded guilty to wire fraud conspiracy and admitted to selling 160,000 payment card numbers stolen from the Dave & Buster’s restaurant group to an undercover officer, according to the report. The ringleader of the operation, which resulted in breaches at large retailers including Hannaford Bros., TJX, BJ’s Wholesale Club and Heartland Payment Systems, was sentenced to 20 years in prison in 2010.
Full Story

DATA LOSS

Investigations Launched in Ontario Voter Breach (July 20, 2012)

After this week’s announcement of Elections Ontario’s breach involving unencrypted memory sticks containing information on up to 2.4 million voters, Ontario police, the Office of the Information and Privacy Commissioner and Elections Ontario are all investigating, reports the Associated Press. The head of Elections Ontario—which lost the data—has hired a law firm and forensic security firm to guide its investigation and Privacy Commissioner Ann Cavoukian and police are working together to look into what Cavoukian has called the largest and most serious breach she’s seen in her 25-year career.  One cybersecurity expert called the breach “easily preventable,” adding that data protection technologies are time- and cost-efficient enough for even small- and medium-sized businesses to use.
Full Story

DATA PROTECTION

Clayton To Investigate Data Fallout from Fires (July 20, 2012)

Alberta Information and Privacy Commissioner Jill Clayton says her office will investigate the data protection practices of certain organizations housed in the Shaw Court building, which suffered an explosion and fire last week, reports CBC. “There are valuable lessons to be learned from an incident like this,” Clayton said, noting that included in her office’s message over the years has been that “part of protecting personal and health information against risks is to make sure you have a backup plan in place in case of a disaster.”
Full Story

PRIVACY LAW

NB Commissioner Working with War Amps on Agreement (July 20, 2012)

New Brunswick Privacy Commissioner Anne Bertrand is working with officials from The War Amps of Canada on a data protection agreement, CBC News reports. War Amps gets citizens’ names and addresses annually from the Department of Public Safety for its key tag program but does not seek individuals’ permission to do so, the report states. This contravenes the privacy law that took effect in September 2010. Bertrand said the province didn’t realize there was no “exemption under the act allowing this disclosure of personal information to War Amps of Canada.”
Full Story

PRIVACY LAW—EU & CANADA

EC Says Controversial Articles Removed From CETA (July 20, 2012)

Elements of the EU-Canada trade deal that had privacy advocates concerned have been removed, reports PCWorld. Following a leaked draft of the Canada-EU Trade Agreement (CETA), spokesman for the European Commission John Clancy says the controversial articles have been removed, though the deal is being conducted in private and it isn’t clear exactly what has been changed. Via a Twitter post, Clancy said, “CETA does not contain any provisions that differ from existing EU law.” CETA will reach the European Parliament in early 2014. Columnist Michael Geist says the deal creates “enormous risks for Canada’s trade ambitions.”
Full Story

SURVEILLANCE

RCMP Considering Increased Use of Drones (July 20, 2012)

The RCMP currently has about 12 drones that it uses to take aerial photos of accident scenes, observe emergency situations and assist in investigations, and it is considering expanding the program to a national fleet, reports the Ottawa Citizen. An RCMP spokeswoman says the organization is in the “initial stages” of considering this move and will develop “technical specifications, national policy, training standards and, if necessary, privacy requirements,” the report states. This possible expansion comes amid controversy in the U.S. over a recent bill allowing commercial and private drone use.
Full Story

FINANCIAL PRIVACY

A Warning to Mortgage Brokers: Get Ready (July 20, 2012)

Guest columnist for Canadian Mortgage Trends Justin Beadle recounts finding shared hard drives belonging to mortgage brokers open on a hotel WiFi network, giving access to customers’ mortgage applications to anyone with a networked computer. The experience “highlighted a major issue—the responsibility to protect personal information,” Beadle writes. With the growing illegal data trade, a breach such as this one could mean identity theft for customers. Proposed legislation would require companies to inform the Office of the Privacy Commissioner of Canada of this type of incident, prompting Beadle to encourage brokers to “work towards industry excellence by fully adopting privacy protection in all its forms.”
Full Story

ONLINE PRIVACY

YouTube Releases Facial Blurring Tool (July 19, 2012)

YouTube has released a tool allowing people to obscure faces within videos uploaded to the site, The New York Times reports. The feature aims “to help protect dissidents using video to tell their stories in countries with repressive government regimes,” the report states. “Visual anonymity in video allows people to share personal footage more widely and to speak out when they otherwise may not,” said a YouTube spokeswoman, adding that “human rights footage, in particular, opens up new risks to the people posting videos and to those filmed.” YouTube said the feature would also help protect children’s identities. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Skype Looking Into Messaging Bug (July 17, 2012)

Skype is looking into a bug resulting in the voice-Internet service sending instant messages to unintended recipients, CNET News reports. Skype says “in rare circumstances” and stemming from an upgrade last month, users intending to send a message to one contact have found the message has been sent to another, which one user called “a serious breach of privacy.” Skype says it is investigating the matter and hopes to provide a solution soon. “We are rolling out a fix for this issue in the next few days and will notify our users to download an updated version of Skype,” a spokesperson said in an e-mailed statement.
Full Story

BIG DATA

Algorithm Predicts Future Location Based on Friends’ Movements (July 13, 2012)

Toronto Star reports on the development of an algorithm that can predict smartphone users’ future locations based on the movements of their friends. In a study of 200, the algorithm predicted users’ future locations to within 20-100 metres, according to the report. Lead researcher Mirco Musolesi of the University of Birmingham acknowledges “a problem for privacy,” but says, with protection of phone data, the algorithm could help behavioural advertisers. Harvard University Assistant Professor Edoardo Airoldi says that large-scale human behaviour studies such as this are the “next big thing” in big data.
Full Story

TRAVELLERS’ PRIVACY

Border Pact Privacy Concerns Examined (July 13, 2012)

The Canadian Press reports on the Canada-U.S. pact that will see the two nations sharing data on those who cross their borders. The federal privacy commissioner has expressed concerns about some of the pact’s terms, as have civil libertarians such as Roch Tasse of the International Civil Liberties Monitoring Group, who says, “We’ll continue to have a good regime in Canada, but we’re passing on more information to a weaker privacy regime in the U.S. over which we’ll have no control.” A Calgary Herald editorial on the deal says, “Opportunities for abuse of privacy abound…and that is concerning.”
Full Story

INFORMATION ACCESS

Amidst Calls for Reform, Act Turns 30 (July 13, 2012)

The Access to Information Act turned 30 earlier this month, and CBC News reports that while the act “has proved popular over its three decades…problems with the access to information law” are prompting calls for change. “What we really need to consider is whether we have the right exemptions, the right balance...between the information that needs to be protected and the information that should be disclosed,” said Information Commissioner Suzanne Legault. Legault has been calling for increased powers to order entities “to hand over records if they’re taking too long,” the report states, noting she currently may only make recommendations to that effect.
Full Story

PRIVACY LAW

Geist: Anti-ACTA Sentiment Could Affect CETA (July 13, 2012)

In a feature for the Toronto Star, Michael Geist considers the implications of the European Parliament’s recent decision on the Anti-Counterfeiting Trade Agreement (ACTA) for Canada-EU trade. Referencing documents indicating “the EU plans to use the Canada-EU Trade Agreement (CETA), which is nearing its final stages of negotiation, as a backdoor mechanism to implement the ACTA provisions,” Geist contends such a move “creates enormous risks for Canada’s trade ambitions. Given the huge anti-ACTA movement, the Canada-EU trade deal could face widespread European opposition with CETA becoming swept up in similar protests.” To avoid that, Geist recommends Canada advocate for the removal of CETA’s intellectual property chapter.
Full Story

BIG DATA

Privacy, Economics and “Do Not Collect” (July 12, 2012)

Examining the difference between the low cost of paying a company to find someone online versus the higher costs associated with companies that help people “hide from the Internet,” a paidContent report questions whether the time has come for a “do not collect” law. While suggesting “the ‘pay for privacy’ approach doesn’t acknowledge the new economic imbalance in which personal data is cheap and anonymity is expensive,” the report also questions whether a “do not collect” system “would be enough to put the data genie back in the bottle.”
Full Story

PRIVACY LAW

IBM Contract Released To Public (July 6, 2012)

The BC government says it won’t fight a court order to release the details of a $300 million contract with IBM, a decision that has pleased privacy advocates, CBC News reports. Following an eight-year privacy dispute, the BC Supreme Court ruled last month that “there are no security reasons to withhold the remaining sections of the 535-page contract with IBM,” the report states, which the Minister for Open Government says she will not appeal. The government posted the contract to its website this week. The contract was signed in 2004 and has since incited arguments from both IBM and the provincial government over whether it should be released to the public.
Full Story

PRIVACY LAW

University Releases Donation Document (July 6, 2012)

Following a yearlong battle, Carleton University has released information about a $15-million donation that created a graduate program. The Canadian Press had requested a copy of the donor agreement between the university and Calgary businessman Clayton Riddell, but the university cited invasion of privacy, third-party information and the school’s economic interests in its refusal to share the agreement, The Canadian Press reports. The university released the document last week with Riddell’s authorization. “I use the term ‘no profound objection’ purposefully as I know that you and the university will recognize the privacy issues involved here,” Riddell wrote, adding that he is erring on the side of transparency for the sake of the program.
Full Story

DATA LOSS

Institute of Technology Reports Breach (July 6, 2012)

The BC Institute of Technology has confirmed that a scheduled security audit has revealed a breach at its Burnaby campus, The Canadian Press reports. The breach involves the personal information of nearly 13,000 individuals who used the student medical clinic from October 2005 to June 11, 2012, the report states. The information includes birth dates, medical numbers, addresses and phone numbers. The institute has sent letters to alert those affected and is working with BC’s privacy commissioner “to ensure privacy standards are upheld,” the report states.
Full Story

SURVEILLANCE

Body-Scanning Vans Spark Concerns (July 6, 2012)

American Science & Engineering has introduced Z Backscatter Vans (ZBVs) capable of scanning nearby cars for explosives, drugs and people, Mashable reports, questioning, “Is roving, body-scanning van a needed surveillance tool or a another step toward eroding personal privacy?” With more than 500 of the cans already sold to government agencies around the world, privacy advocates are raising concerns. When it comes to ZBVs, one privacy expert asserts that “from a privacy perspective, it’s one of the most intrusive technologies conceivable.”
Full Story

PRIVACY LAW

Opinion: Landscape Is Changing When It Comes to Privacy (July 6, 2012)

In Lawyers Weekly, Mark Hayes says several recent court cases indicate that “courts are now willing to take a more balanced view of the meaning of privacy laws.” Though in the past, federal courts considered the privacy commissioner’s interpretations of laws such as the Personal Information Protection and Electronic Documents Act (PIPEDA) in making their decisions, the landscape is changing, Hayes writes. The Federal Court rejected the privacy commissioner’s position in a 2010 case, determining PIPEDA does not apply to insurance companies’ data collection when defending individuals, “significantly limiting the application of privacy laws to information-gathering by or on behalf of individuals.” And in April, a court of appeal ruled the commissioner’s decision was unreasonable.
Full Story

BIG DATA

The E-Book’s Two-Way Mirror (July 3, 2012)

The Wall Street Journal reports on the rise of big data analytics on consumers' e-reading habits by publishers, providing "a glimpse into the story behind the sales figures, revealing not only how many people buy particular books but how intensely they read them." Now that publishers are employing e-reader data analytics, the formerly private act of reading is becoming "something measurable and quasi-public," the report states. The U.S.-based Electronic Frontier Foundation argues that readers should have the right to opt out of being tracked by publishers, adding, "There's a societal ideal that what you read is nobody else's business." (Registration may be required to access this story.)
Full Story 

TRAVELERS’ PRIVACY—CANADA & U.S.

OPC: Border Agreement Threatens Canadians’ Privacy (July 2, 2012)

Canadian Assistant Privacy Commissioner Chantal Bernier has said that the 12-point Canada-U.S. privacy charter contains some fundamental building blocks for privacy but falls short of the federal privacy commissioner's standards, The Globe and Mail reports. One main concern, according to Bernier, is that the principles are nonbinding. "We were hoping for greater control for Canada on the personal information it holds," she said. The border security agreement was struck last year between the Obama and Harper administrations.     
Full Story

 
DPC Billy Hawkes on the right to be forgotten (July 1, 2012)
The provision within the European Commission’s draft data protection framework outlining “the right to be forgotten and to erasure” has both regulators and stakeholders asking whether it is viable. The draft framework states it would grant data subjects the right to withdraw their consent for their personal data to be collected or processed, except for in cases where the collection and processing is necessary for “historical, statistical and scientific research purposes, for reasons of public interest in the area of public health, for exercising the right of freedom of expression, when required by law, or where there is a reason to restrict the processing of the data instead of erasing them.” The Privacy Advisor recently chatted with Irish Data Protection Commissioner Billy Hawkes, a member of the Article 29 Working Party, to ask for his perspective on the draft regulation’s provision.