Canada Dashboard Digest

Many will have already heard the relatively big news this week: A new bill, S-4, was introduced in the Senate that will amend PIPEDA if it passes. I'm surprised it didn't actually get more news considering the fanfare when the government tabled it.

There is some skepticism about whether or not the government is serious this time around because it has introduced somewhat similar bills in the past only to let them die a slow and painful death. This new bill was introduced in the Senate, and some are speculating that this may have been done to try and get the bill passed quickly.

For sure, these amendments are a long time coming. Many of them are what I call “common-sense fixes." For example, getting the English and French versions of the law to jive with one another a bit better. Other more meaningful fixes are those that mirror the Alberta and British Columbia provisions dealing with employee personal information and business transactions.

The folks at the OPC are probably happy with the proposed amendments that will allow them to enter into compliance agreements with organizations. Essentially, these agreements will allow the OPC to monitor organizations for up to a year after the completion of an investigation to ensure that all recommendations are satisfactorily implemented.

Lastly, I think the codification of a breach notification scheme is a good thing, too. I don’t think this new scheme will have a significant impact because previous guidance from the federal commissioner has been clear that they expect notification to take place even without the codification in the law. So, I think most organizations have already been operating with this scheme in mind. But, getting clarity in any law is always a good thing, so I suppose it is in this case, too.

As far as the “new penalties” go, I again don’t think there’s too much to worry about. Before any penalty could be levied, a matter would have to be referred for criminal prosecution—something that probably won’t happen except in the most egregious cases. This is a far cry from the administrative monetary penalties that can be levied in some European jurisdictions directly by the data protection authority.

So, all in all, pretty good news for privacy in Canada—for some—this week. And when we also read that CRA employees were fired for privacy violations, perhaps privacy is something this government is realizing is a priority issue that people care about.

Kris Klein
Managing Director
IAPP Canada

Top Canadian Privacy News

HEALTHCARE PRIVACY

Another Class-Action Suit Filed Over Breach (August 31, 2012)

Another lawsuit has been filed against Western Health for a breach involving the personal information of more than 1,000 patients, The Western Star reports. The suit, filed in the Supreme Court of Newfoundland and Labrador last Friday, also names as a defendant the healthcare worker who was fired for inappropriately accessing the data. As reported in last week’s Dashboard Digest, three other lawsuits have been filed against regional health authorities recently as a result of alleged privacy breaches.
Full Story

SURVEILLANCE

Sharing of Licence-Plate Data Sparks Probe (August 31, 2012)

British Columbia’s privacy commissioner is investigating a U.S. Customs and Border Protection (CBP) practice of sharing licence-plate data collected at the U.S.-Canadian border with insurance companies, reports CTV News. Licence plates of all cars crossing the border are scanned, and records show that CBP has been sharing this data with the National Insurance Crime Bureau—an industry nonprofit made up of most U.S. insurance agencies—since 2005. CBP says it is acting within the law and the data is only given on a need-to-know basis, but civil liberties groups are voicing concerns, noting this is “one example of data flowing to people you might not have expected.”
Full Story

DATA PROTECTION

As Smart Grid Grows, Privacy Concerns Proliferate (August 31, 2012)

With the increased emergence of smart grid technology and the deployment by utility companies of smart meters, governments and privacy advocates are “actively collaborating to work toward best practices, privacy frameworks and, in some jurisdictions, legislation.” The Future of Privacy Forum’s Chris Wolf has said the smart grid will “form a library of personal information, the mishandling of which could be highly invasive of consumer privacy.” In this exclusive for The Privacy Advisor, IAPP Publications Board Member Chris Pahl, CIPP/US, CIPP/G, and Ontario Information and Privacy Commissioner Ann Cavoukian offer advice on how utilities can address consumer concerns and apply appropriate data protection. (IAPP member login required.)
Full Story

FINANCIAL PRIVACY

Insurance Industry: Banks Continue To Flout Regulations (August 31, 2012)

According to Steve Masnyk, public affairs manager for the Insurance Brokers Association of Canada (IBAC), the banking sector is “defying” federal regulations aimed at preventing the comingling of banking and insurance activities—and he sees no end to it, reports The Canadian Press. The IBAC recently filed a complaint against the Royal Bank of Canada (RBC) alleging the company sent letters attempting “to leverage the customer’s relationship with RBC Royal Bank in order to solicit the customer to insure his cars and home with RBC Insurance.” RBC has responded by saying, “We are committed to regulatory compliance and respect the Bank Act and privacy legislation.”
Full Story

PRIVACY LAW

Court Dismisses RBC Mortgage Disclosure (August 31, 2012)

In June, the Ontario Superior Court of Justice dismissed a motion by the Royal Bank of Canada (RBC) that would have forced the Bank of Nova Scotia (BNS) to disclose mortgage information to RBC, writes John Jager, CIPP/US, CIPP/C, for The Privacy Advisor. RBC required a mortgage discharge statement from BNS in order to proceed with a sheriff’s sale on a property, but Jager writes that the court “reluctantly dismissed” the motion, saying it was bound by a previous court decision stating that “PIPEDA prohibits organizations from disclosing PI without the knowledge or consent of the affected individual unless disclosure is permitted by one of the exemptions provided in section 7(3).” (IAPP member log in required.)
Full Story

SOCIAL NETWORKING

Commissioner Launches Educational Video Contest (August 31, 2012)

Ontario Information and Privacy Commissioner Ann Cavoukian has launched an online video contest aimed at educating people about protecting their privacy on social media sites, reports MetroNews. “Make the Right Choices” will accept entries from Ontario residents between the ages of 18 and 30 on four topics: Stay in Control of Social Media, Don't Be a Cyber-bully, Stranger Danger and Don't Get Fired, the report states. The contest is open until November 30.
Full Story

ONLINE PRIVACY

Privacy Worries Surround UN Internet Regs (August 30, 2012)

“What would online privacy look like if the United Nations (UN) regulated the Internet?” queries Mathew J. Schwartz in this exclusive for The Privacy Advisor. “That’s one question on the minds of privacy advocates as the International Telecommunications Union—a UN agency based in Geneva, Switzerland, that regulated telecommunications and IT issues—approaches the task of helping the UN decide if it should exert more control over Internet governance,” Schwartz writes. According to the report, some proposals “have technologists and—at least in the United States—legislators up in arms, leading to allegations that the renegotiated treaty could allow countries such as China and Russia to more easily censor the Internet.”
Full Story

HEALTHCARE PRIVACY

A Trio of Lawsuits Filed Over Breaches (August 24, 2012)

A St. Johns lawyer has brought three lawsuits against regional health authorities on behalf of patients who allege their privacy was breached, CBC News reports. One woman is suing the Western Health Regional Health Authority in a suit that seeks class-action status. Another woman is suing Eastern Health following that authority’s disclosure in July that five employees had been fired for privacy breaches, including a nurse who accessed 122 patient records without permission. A third woman is suing Central Health on allegations an employee at the authority accessed her records inappropriately.
Full Story

ONLINE PRIVACY

Opinion: New Minister Could Restart Surveillance Bill (August 24, 2012)

In a column for the Toronto Star, Michael Geist opines that Public Safety Minister Vic Toews’ anticipated appointment to the Manitoba Court of Appeal is “an opportunity for a fresh start on Internet surveillance legislation, one of the government’s biggest political blunders to date.” Geist says the upcoming public safety opening gives the government “at least two options,” adding, “a new minister provides a convenient opportunity for an Internet surveillance restart” that could “include scrapping the bill, launching a public consultation or asking a House of Commons committee to study the issue before moving ahead with new legislation.”
Full Story

PRIVACY

OPC Launches Online Complaint Form (August 24, 2012)

The Office of the Privacy Commissioner (OPC) has launched an online complaint form for Canadians who feel their privacy has been violated. The form, found on the OPC’s website, allows users to submit the necessary data to file a complaint under the Personal Information and Electronic Documents Act (PIPEDA). The new form “reflects the OPC’s commitment to meeting the needs and expectations of Canadians and further improving its service to Canadians,” the OPC said in a press release, adding individuals are encouraged to resolve privacy concerns by first contacting the organization involved.
Full Story

BIG DATA

Opinion: Big Data Collection Must Slow Down (August 24, 2012)

As more organizations construct “digital dossiers” of consumers, Colorado Law School Prof. Paul Ohm writes in Harvard Business Review that “databases will grow to connect every individual to at least one closely guarded secret,” thereby causing “more than embarrassment or shame; it would lead to serious, concrete, devastating harm.” Ohm said many opportunities come with Big Data, but ubiquitous data collection “will become an inevitable fixture of our future landscape, one that will be littered with lives ruined by the exploitation of data assembled for profit.” Consequently, businesses “should slow things down, to give our institutions, individuals and processes the time they need to find new and better solutions,” writes Ohm.
Full Story

DATA PROTECTION

Google Creating Staff of Privacy Experts (August 23, 2012)

Google is in the process of forming a “privacy red team” of experts to mitigate and iron out privacy risks and vulnerabilities in its products, ZDNet reports. According to a job post for a data privacy engineer, a red team member will work “to independently identify, research and help resolve potential privacy risks across all of our products, services and business processes in place today.” A ThreatPost report states the move by Google “to look critically at engineering and other decisions in the company’s products and services that could involve user privacy risks is perhaps a unique one.”
Full Story 

PRIVACY LAW

Justice Minister Says Doctor Will Not Be Charged (August 17, 2012)

Saskatchewan’s justice minister says there is not enough evidence to charge Dr. Teik Im Ooi under the Health Information Protection Act, reports The Globe and Mail. Private files on some of Ooi’s patients were found in a recycling dumpster last year, but Justice Minister Gord Wyant says there is no evidence that the doctor knew her safeguards on patient privacy were insufficient. No one has been charged under the Health Information Protection Act since it came into force in 2003, the report states, which Wyant says indicates a flaw in the law. An op-ed in The Regina Leader-Post says trustees of health information—“whether organizations or individuals—need to be held accountable for its security and proper disposal.”
Full Story

SURVEILLANCE

Commissioner Discusses Surveillance Technology (August 17, 2012)

Privacy Commissioner Jennifer Stoddart weighs in on a recent controversy over hundreds of leaked e-mails at the hands of Wikileaks, CBC reports. Following the leaks, one analysis firm asserted that Trapwire surveillance technology may be in use in Canada. Stoddart says, however, that her office has “not evaluated this technology or learned of its use within Canada outside of this report of a third-party report. Our office, however, is interested in initiatives that would use such surveillance technology and impact on privacy in pursuit of greater security.” She offers advice to organizations considering using such technology, asking “is the loss of privacy proportional to the need?”
Full Story

HEALTHCARE PRIVACY

Denham: Medical Research and Privacy Aren’t Enemies (August 17, 2012)

In a special to The Vancouver Sun, BC Privacy Commissioner Elizabeth Denham discusses the ongoing debate about access to health data for medical research, with many alleging privacy law and policies hinder progress. “I am confident that it is possible to facilitate research and protect privacy at the same,” Denham says, adding that in her view, “privacy and research are partners, not adversaries, in the pursuit of better health outcomes.” Denham assembled a variety of stakeholders to discuss the issue, and they concluded that there is a “troubling lack of information” about the type of data available to researchers, data silos that create delays and lengthy approval timelines.
Full Story

SURVEILLANCE

Opinion: Licence-Plate Camera Policy Never Mentions Privacy (August 17, 2012)

The Victoria Police Department has come under fire for its policy on automated licence-plate cameras. The department says the policy is lawful, but “it’s actually bereft of details, fails to reference any legislation and simply promises to mirror whatever the RCMP decides,” opine Rob Shaw and Katie Derosa for The Victoria Times Colonist. The privacy commissioner is currently investigating whether the department’s cameras—which scan and record 3,000 vehicle plates per hour—comply with the province’s privacy law, the report states. Shaw and Derosa say the department’s two-page policy on the cameras does not mention the word privacy.
Full Story

BIOMETRICS

Consumer ID Cameras Introduced, Raise Concerns (August 16, 2012)

The Ottawa Citizen reports on a U.S.-based company that is rolling out facial recognition services for businesses wanting to offer deals to customers. Facedeal users opt in to the service by uploading photos of their faces via Facebook, allowing the service to track users’ shopping habits at businesses using the technology. The creation of a database comprised of faces has raised red flags for Ontario Information and Privacy Commissioner Ann Cavoukian. In addition to data security concerns, she warned, “You don’t know where the information is going to end up, and I always say, beware of unintended consequences.”
Full Story

DATA LOSS

Gamers Urged To Change Passwords After Breach (August 10, 2012)

Blizzard Entertainment is warning gamers to change their passwords due to a security breach of its internal network, CNET News reports. Certain e-mail addresses and scrambled passwords are believed to have been stolen, according to the company.At this time, we've found no evidence that financial information such as credit cards, billing addresses or real names were compromised,” said company President Michael Morhaime in a blog post. “Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.”
Full Story

PERSONAL PRIVACY

Police Sergeant Demoted for Accessing Databases (August 10, 2012)

A 25-year veteran of the Ottawa police force this week pleaded guilty to inappropriately accessing personal information stored in police databases, the Ottawa Citizen reports. Staff Sgt. Lise Fournier will be demoted for a period of seven months after admitting to accessing the information 169 times over a three-year period in what police prosecutor Christiane Huneault described as a “serious violation of the complainant’s right to privacy.” The plea comes just a few months after an Ottawa constable admitted to similar acts.
Full Story

INFORMATION ACCESS

Redford Launches Review of Gov’t Officer Spending (August 10, 2012)

Alberta Premier Alison Redford has announced a review of the spending practices of senior government officials and cabinet members after an expenses scandal at Alberta Health Services, reports the Calgary Herald. The review will be led by Don Scott, associate minister of accountability, transparency and transformation, who has asked Privacy Commissioner Jill Clayton to collaborate on studying other regions’ disclosure models and said he plans to hire a human resources company to evaluate hiring practices.
Full Story

ONLINE PRIVACY

10 Things To Consider When Writing a Privacy Policy (August 10, 2012)

Daniel Khazzam, a Montreal lawyer and information technology consultant, writes for the Montreal Gazette about factors organizations should consider when writing an online privacy policy. Noting that a privacy policy should “always be reviewed by counsel,” Khazzam offers a list of 10 considerations for organizations looking to write a policy in compliance with Quebec privacy laws, including that policies must be clear and understandable and detail how an organization stores, collects and uses data. He adds, “Make sure that your privacy policy is brought to the attention of users and is consented to.”
Full Story

PRIVACY LAW

Opinion: First Responder Law Sets “Low Standard” (August 10, 2012)

Calgary privacy professional Sharon Polsky writes about her concerns over a British Columbia law that would allow first responders to access medical records of others if they’ve come in contact with bodily fluids. In Saanichnews.com Polsky writes that allowing first responders full access to medical files without certain limits, “sets a very low standard and an inviting precedent.” Polsky writes, “A law such as this can only be valid if it clearly articulates and limits the circumstances in which such a privacy invasion may be conducted and limits to whom the information may be further divulged,” adding that a neutral third party may be the best person to conduct the review.
Full Story

DATA LOSS

Opinion: Cavoukian provided “Great Service” (August 10, 2012)

After Elections Ontario lost two unencrypted USB sticks resulting in the exposure of as many as 2.4 million voters’ personal data, Ontario Information and Privacy Commissioner Ann Cavoukian chastised the company for failing to implement privacy safeguards and recommended they appoint a chief privacy officer and develop a privacy training program for staff. Thanking Cavoukian for her efforts, the Toronto Sun editorial says she has “provided a great service to the province’s residents,” noting, “It’s just too bad she had to.”
Full Story

ONLINE PRIVACY

Google To Include Gmail Content in Web Searches (August 10, 2012)

Google has announced plans to roll out a new feature to a million Gmail users who sign up for it, and after accepting feedback, hopes to give all accountholders the ability to opt in to the feature that would allow contents of users’ Gmail correspondences to be included in their Google searches, reports the Associated Press. The feature is a response to a more people-centered Internet driven by the prevalence of information sharing on social networks, the report states, and may bring with it privacy concerns. To alleviate these concerns, Google will show Gmail communications in a collapsed format that users have to open in order to see details.
Full Story

ONLINE PRIVACY

Internet Explorer 10 To Keep DNT By Default (August 8, 2012)

Microsoft has announced it will keep its default do-not-track (DNT) setting in Internet Explorer 10 (IE10), Ars Technica reports. Microsoft Chief Privacy Officer Brendon Lynch, CIPP/US, said, “Customers will receive prominent notice that the selection of Express Settings turns DNT on.” Users will also have the option to opt out of DNT in the customize setting. Lynch added, “Our approach to DNT in IE10 is part of our commitment to privacy by design and putting people first…We believe consumers should have more control over how data about their online behavior is tracked, shared and used.”
Full Story

CLOUD COMPUTING

The Cloud and Its Privacy Risks (August 8, 2012)

TECHNEWSWORLD reports that privacy in the cloud “may be an illusion,” and businesses relying on the cloud should be aware of its privacy risks. Laws in the U.S., EU and elsewhere allow government agencies access to cloud data, and Mutual Legal Assistance Treaties facilitate cooperation across borders, allowing law enforcement to request data in any country that is a part of such a treaty. The report points to a recent whitepaper that concludes “it is not possible to isolate data in the cloud from governmental access based on the physical location of the cloud service provider or its facilities.”
Full Story

SURVEILLANCE

Commissioners Launch Licence Plate-Recognition Probe (August 3, 2012)

BC Privacy Commissioner Elizabeth Denham has said she is initiating an investigation into whether law enforcement authorities are complying with privacy regulations when using technology that automatically reads, detects and matches licence plates with corresponding photos of individuals who are of interest to the police, The Canadian Press reports. Denham is expected to focus the probe on the Victoria Police Department and will provide guidance for authorities that use the technology. A second investigation into whether public organizations are complying with privacy law when disclosing public interest data will reportedly begin in August as well. Meanwhile, Manitoba’s privacy ombudsman says he will look into how similar licence-plate technology is being used by the Winnipeg Police Service.
Full Story

HEALTHCARE PRIVACY

Eastern Health Won’t Press Charges; Western Health Breached (August 3, 2012)

Eastern Health has said it will not pursue criminal charges against former employees who accessed patient medical records without authorization, CBC News reports. One of the former employees said she looked at files for other individuals. One privacy expert said provincial law states that intentional violations can result in jail sentences or fines as high as $10,000. Meanwhile, officials at Western Health in Newfoundland have fired an employee for the unauthorized access of more than 1,000 patient records. The province’s privacy commissioner has been notified.
Full Story

HEALTHCARE PRIVACY

Commissioner: Health Data Fee “Unreasonable” (August 3, 2012)

Newfoundland and Labrador Information and Privacy Commissioner Ed Ring has released a report under the Personal Health Information Act (PHIA) after an investigation revealed that a $50 access fee charged by Eastern Health was unreasonable, according to a press release. Ring recommended a $25 fee for up to 50 pages and 25 cents for each additional page and that health information be provided to patients for free at the point of care. On July 1, two weeks prior to Ring’s report, Eastern Health reduced its rates to meet the commissioner’s recommendations.
Full Story

ONLINE PRIVACY

Opinion: Prime Minister’s Privacy Policy Needs Rewrite (August 3, 2012)

In the Ottawa Citizen, Michael Geist writes about the apparent inaccuracies of the prime minister’s website privacy policy. Though the site’s privacy policy states it does “not regularly use cookies,” Geist states it inserts five—including one that remains on a user’s computer for six months and another for two years. Since the site uses cookies, “the policies are inaccurate and should obviously be replaced,” Geist writes, adding, three lessons can be learned: Sample privacy policies “often create problems” because sites use data in different ways; sites should regularly reassess their privacy policies, and the government should consider a do-not-track option.
Full Story

DATA PROTECTION

Security Experts Discuss Current State of Play (August 3, 2012)

Speaking at a recent event, security experts discussed their views on upcoming difficulties with privacy and security, ITWorldCanada reports. On the topic of who the experts would trust to handle their data—the government or Google—BT Chief Security Technologist Bruce Schneier said, “I don’t trust sending my data across the border because the NSA is going to grab it.”
Full Story

DATA LOSS—CANADA

OIPC: Systemic Failures in Voter Data Processing (August 1, 2012)

An investigation by Ontario Information and Privacy Commissioner Ann Cavoukian has revealed that Elections Ontario demonstrated “systemic failures” when handling voter data. Cavoukian said she was “deeply disturbed” that the agency did not properly train staff, The Globe and Mail reports. Days after misplacing USB keys containing the personal information of 2.4 million voters, staffers still used unencrypted memory sticks, according to the investigation. Cavoukian has recommended the agency appoint a chief privacy officer and develop a privacy training program for staff.
Full Story