Canada Dashboard Digest

Are you sick of hearing about Heartbleed? If you are, you may want to skip some of the stories profiled in this week’s Dashboard Digest. If, however, you are like me, you might still be confused by the array of stories about the technical vulnerability, how it works and what damage it might have caused. I had to do a fair amount of self-study this week to prepare for an on-air interview with the CBC, and I must admit that the more I read about it, the more questions I had.

One thing is for sure: We work in an increasingly dynamic industry where things change faster than ever. What was once considered secure is actually not. Safeguards that you thought were good enough, aren't. I suppose that’s all the more reason the privacy professional needs tools like the Dashboard Digest—to try and stay on top of what’s going on.

With respect to the Heartbleed saga, we felt that you deserved even more opportunity to learn about it, so we have added a session to this year’s Symposium that promises to educate privacy professionals on exactly what they need to know about the vulnerability. I hope you can make it to Toronto if you're keen to learn more.

Somewhat overshadowed by Heartbleed were two rather significant decisions from Commissioners Denham and Cavoukian. Read on to learn more because these, too, are important events. 

Have a great weekend, and happy (Easter egg) hunting!

Kris Klein
Managing Director
IAPP Canada

Top Canadian Privacy News

PRIVACY LAW

Federal Privacy Law Doesn’t Govern Political Parties (September 28, 2012)

Concerns have recently been raised about how political parties use personal information and the lack of Canadian laws governing that use, CBC News reports. The Office of the Privacy Commissioner (OPC) recently noted that “Canadian federal privacy protection law does not cover federal political parties.” Though troubled by the reports, OPC spokeswoman Anne-Marie Hayden said, “Our office does not have jurisdiction over political parties under either the Privacy Act or the Personal Information Protection and Electronic Documents Act.” Of the provincial laws, only BC’s covers political parties under its Personal Information Protection Act, the report states.
Full Story

PRIVACY LAW

Supreme Court Rules Teen’s ID To Be Kept Private (September 28, 2012)

The Supreme Court of Canada has ruled that a Nova Scotia teenager aiming to sue the individuals who bullied her on Facebook will be allowed to keep her identity private, CTV News reports. The court stated, “Recognition of the inherent vulnerability of children has consistent and deep roots in Canadian law and results in the protection of young people’s privacy rights based on age, not the sensitivity of the particular child.” Meanwhile, Ontario Information and Privacy Commissioner Ann Cavoukian has said that shaming people online is an effect of the proliferation of mobile devices and consequently, caution while in public should be exercised.
Full Story

DATA LOSS

File of College Students’ Info Accidentally Shared (September 28, 2012)

CBC News reports on a privacy breach at the College of the North Atlantic's Engineering Technology Centre in St. John's.  “A computer file with students' names, ID numbers, phone numbers, courses, locker numbers, serial numbers of their locks and the combinations was inadvertently included in a folder that all students can access,” the report states, noting the file was subsequently removed. The college has also added security in the building and has secured all lockers, the report states.
Full Story

DATA LOSS

Breach Affects 100,000 IEEE Members (September 27, 2012)

The user names and passwords of approximately 100,000 members of the Institute of Electrical and Electronics Engineers (IEEE) have been compromised in an apparent breach, Help Net Security reports. The affected data was stored on an FTP server in unencrypted form. The IEEE has as many as 400,000 members worldwide, many of whom are security professionals. The incident was discovered by Romanian researcher Radu Dragusin.
Full Story

ONLINE PRIVACY—CANADA

Commissioner: Websites Inappropriately Sharing Users’ Personal Information (September 26, 2012)

A report by Canada’s Office of the Privacy Commissioner says some leading Canadian websites are inappropriately sharing users’ personal information with third parties, reports the Canadian Press. Privacy Commissioner Jennifer Stoddart investigated 25 shopping, travel and media sites and found information—including names, e-mail addresses and postal codes—was being collected without consent. Stoddart has written to 11 of the sites, seeking explanations on how changes will be made to comply with Canadian privacy law, the report states. “Our research serves as a wake-up call to all online services to ensure they are complying with Canadian law—and respecting the privacy rights of people who use their sites,” Stoddart said.
Full Story

DATA PROTECTION

Report: Most Breaches Due to Employee Error (September 25, 2012)

COMPUTERWORLD reports Forrester Research has found that most data breaches are caused by events such as employees losing or misusing corporate assets or having them stolen. In the survey of more than 7,000 executives and employees in North America and Europe, 31 percent said theft or loss was the cause of data breaches, and 39 percent said data leaks on mobile devices are a concern. “Whether their actions are intentional or unintentional, insiders cause their fair share of breaches,” the report’s authors said, adding it’s not only a matter of appropriate tools and controls; only 56 percent of respondents said they were aware of their organization’s security policies.
Full Story

DATA PROTECTION

Risk Report Finds “Sharp Increase” in Browser Exploits (September 21, 2012)

InfoSecurity reports that the results of the IBM X-Force 2012 Mid-Year Trend and Risk Report suggest “the landscape has seen a sharp increase in browser-related exploits…along with renewed concerns around social media password security and continued disparity in mobile devices and corporate bring-your-own-device (BYOD) programs.” The report notes an upward trend in vulnerabilities. “We’ve seen an increase in the number of sophisticated and targeted attacks,” said IBM’s Clinton McFadden, adding, "As long as these targets remain lucrative, the attacks will keep coming and in response, organizations should take proactive approaches to better protect their enterprises and data." Editor's Note: The IAPP's recent web conference The Implications of Bring Your Own Device (BYOD) offers additional insights into the issues surrounding BYOD.
Full Story

HEALTHCARE PRIVACY

Commissioner Calls for Stiffer Snooping Penalties (September 21, 2012)

Newfoundland and Labrador Privacy Commissioner Ed Ring says more must be done to prevent healthcare employees from snooping on patient files, CBC News reports. Ring’s comments follow a recent privacy breach in Manitoba involving at least eight healthcare employees viewing files they were not authorized to view. The eight were subsequently fired and others disciplined. While Newfoundland and Labrador law provides that offenders of the Health Information Act may be fined up to $10,000 or sentenced to six months in jail, the penalty has never been enforced, the report states.
Full Story

HEALTHCARE PRIVACY

Suspended Health Official Takes Legal Action (September 21, 2012)

A suspended health official has filed a lawsuit in British Columbia Supreme Court claiming he was wrongfully suspended for an alleged privacy breach involving the management of research data, The Vancouver Sun reports. Health Minister Margaret MacDiarmid has declined to comment while the investigation is underway.
Full Story

PERSONAL PRIVACY

Canadian Civil Liberties Association: Police Checks Violate Privacy (September 21, 2012)

A new report by the Canadian Civil Liberties Association (CCLA) says police are releasing noncriminal information in routine police checks in violation of citizens’ privacy rights, CBC News reports. The report claims police run approximately 160,000 background checks each year containing information about convictions, charges and contact with police that “were either withdrawn or did not involve criminal activity,” the report states. The CCLA says such practices are unacceptable, adding there is “an urgent need for greater fairness and clarity in the police background check process.”
Full Story

PRIVACY LAW

Election Chief To Provide Voter Database Recommendations (September 21, 2012)

Chief Electoral Officer Marc Mayrand is analyzing voter identification databases to assess whether regulations are necessary to control the information, The Globe and Mail reports. Mayrand has said he will provide recommendations to Parliament by the end of March on potential improvements to voter data protection and use. “Generally, the data collected by parties is not subject to privacy legislation, so that’s an issue that may need to be explored,” he said, adding, “little is known about how this information is gathered, how long it’s retained, what happens when there’s a breach…what level of security does exist around access to this information…”
Full Story

INFORMATION ACCESS

Cavoukian: Information Must Be Made Easily Available to Individuals (September 21, 2012)

Ontario Information and Privacy Commissioner Ann Cavoukian says government systems and programs should be designed to make information available and accessible to the public, The Star Phoenix reports. She added it’s no longer sufficient to allow for access to information requests. “Data should be free, open and transparent,” she said. “I don’t want people to go hunting and digging up things.” At the same time, she said, personal data collected by the government must be closely guarded and kept safe.
Full Story

RFID

Microchips Implanted in Humans? (September 21, 2012)

It’s not uncommon for pets to be implanted with RFID microchips containing their owners’ contact information in case the pet is lost, reports Canadian Lawyer. So it’s not hard to imagine the same could soon be done for humans. One U.S. company was granted approval from the U.S. Food and Drug Administration to experiment with the chips in 2002. The chips could contain healthcare, banking or identification information, for example, to be accessible anywhere at anytime. But privacy concerns arise, including a “vulnerability to theft of information.” As such, a “thoughtful analysis” of potential uses should be conducted, the report states.
Full Story

ONLINE PRIVACY

Study Looks at Privacy Concerns Among Chronically Ill Teens (September 21, 2012)

A study that looked at how chronically ill teenagers manage their privacy found that they spent a significant amount of time online and managed their privacy closely, Medical Xpress reports. The study by Canadian and Norwegian researchers surveyed patients aged 12 to 18 and aimed to understand how the teens view online privacy issues while in the hospital. It found that social and psychological privacy were very important to the teens, but government or company data collection was not a concern. One researcher says there’s a need for guidelines on social network-based communication between patients and healthcare providers.
Full Story

DATA LOSS—CANADA

BC Health Ministry Fires Fifth Worker for Alleged Breach (September 17, 2012)

A fifth employee of British Columbia’s Health Ministry has been fired over an alleged privacy breach, The Victoria Times Colonist reports. The worker had been one of three who had been suspended, but according to the report, the 30-year government employee in charge of data access, research and stewardship has now been released. BC Health Minister Margaret MacDiarmid has said the issues in the ongoing investigation relate to inappropriate conduct, data management and “contracting-out allegations,” the report states. “It’s been incredibly complex and it continues to be,” MacDiarmid added.
Full Story

PERSONAL PRIVACY

Everyday Privacy Breaches (September 14, 2012)

In a column for The Globe and Mail, Tony Wilson writes about how a local car repair shop breaches the personal privacy of its customers with a convenient service. In the waiting room, a 52-inch screen lists appointment times with customers’ full names, car models and license plate numbers. Wilson said the service potentially would allow a stalker to locate an individual, adding, “The inadvertent display of a customer’s personal information can be caught by laws regulating its collection and use by businesses in Canada.” Editor’s Note: Read more about the potential for inadvertent privacy breaches in the recent Inside 1to1: PRIVACY article,The Masses As Data Controllers: What They Don’t Know Could Hurt You.”
Full Story

INFORMATION ACCESS

Justice Minister Vows Probe (September 14, 2012)

Saskatchewan Justice Minister Gordon Wyant has responded to a report released by Privacy Commissioner Gary Dickson this week concerning information access denials by the Workers’ Compensation Board, The Star Phoenix reports. “It does appear to be a little bit of an issue there that’s been raised,” Wyant said, adding, “It’s important enough that we’re going to light a fire under some people to make sure that we get a review done, or we’ll look at it as quickly as we can.”
Full Story

HEALTHCARE PRIVACY

Patient Records Breached at Rural Clinic (September 14, 2012)

Eastern Health has announced that the private medical data of approximately 46 patients has been violated at an unnamed rural clinic, CBC News reports. As a result, one employee has been fired and another has resigned. Eastern Health has informed all patients involved of the violation. In a separate incident, a class-action lawsuit has been filed against the authority. Eastern Health’s CEO said, “while we do continue to identify these serious breaches, it is my belief that the number of employees who inappropriately access patient records are in a minority.”
Full Story

PRIVACY LAW

Dickson Tells Telco To Minimize Data Collection (September 14, 2012)

Saskatchewan Privacy Commissioner Gary Dickson has told SaskTel to stop collecting health card and social insurance numbers and other unique identifiers from its customers, CBC News reports. Dickson’s recommendations are part of a 58-page report on the company’s data collection practices. SaskTel has said it will improve its customer privacy but says it needs at least two forms of identification to establish credit-worthiness. Dickson said the company is “doing some very positive things” but “efforts are falling short in terms of compliance,” adding, “This is in part due to its apparent desire to collect as much personal information on its customers and associated third parties as possible contrary to the data minimization principle.”
Full Story

PERSONAL PRIVACY

Concerns Persist Over Missing Persons Act (September 14, 2012)

Critics believe privacy concerns have not been adequately addressed in Alberta’s new Missing Persons Act, the Calgary Herald reports. The new act, which was proclaimed last week, gives police tools to assist in searches but has some concerned it could breach the privacy of those who choose to “disappear without a trace.” Liberal MLA Laurie Blakeman said the law allows police to collect too much personal information. "I understand why the government did it. They did it for all the right reasons. But this is not the solution," Blakeman said.
Full Story

INFORMATION ACCESS

Complaint Filed Against BC Government (September 14, 2012)

A complaint filed by the BC Freedom of Information and Privacy Association alleges the province’s “government responds to nearly a quarter of all requests under freedom-of-information laws by insisting it has no records to offer,” The Globe and Mail reports. In a filing with BC’s information and privacy commissioner, the group cites statistics indicating, “In 2002-2003, there were no cases in which the government could not find any records to satisfy a request; today, that scenario accounts for 23 percent of all requests.”
Full Story

HEALTHCARE PRIVACY

Researchers: Ban on Breached Data Excessive (September 14, 2012)

The Vancouver Sun reports on last week’s health data breach in Victoria. BC Information and Privacy Commissioner Elizabeth Denham had warned previously that Bill 35—which made the data easier for researchers to access—went too far, but the bill passed anyway, the report states. The government’s subsequent freeze on access to the data following the breach could harm future research, warns the director of the BC Centre for Excellence in HIV/AIDS. “This is like saying because people speed on the highways, we close the highways,” he said. Likewise, the co-director of the Therapeutics Initiatives at the University of British Columbia says the freeze has gone on for too long.
Full Story

TRAVELLERS’ PRIVACY

New Passports Able To Hold More Data (September 14, 2012)

New passports to be released next spring will be able to hold much more personal data on a larger range of information, causing concern for some that the data may be misused, reports the Ottawa Citizen. Jim Marriott, chief of International Civil Aviation Organization’s Aviation Security Branch, says that while today’s passports have a strip containing certain data, the chip in the new ones is “capable of storing a lot more information about who I am,” adding, "The range of information is virtually unlimited, but that will be up to each individual state to select the information on the chip." The change is part of global efforts to strengthen airport security.
Full Story

HEALTHCARE PRIVACY

Four BC Gov’t Employees Fired for Alleged Privacy Breach (September 7, 2012)

The government of British Columbia revealed it has suspended all drug-related research and fired four employees accused of breaching privacy, The Vancouver Sun reports. Health Minister Margaret MacDiarmid said she believes individuals went “outside of the rules around taking data and using data with respect to research in the area of drugs.” A $4 million research contract has been suspended to ensure “no health information is being shared inappropriately,” she said, adding, an investigation into the incident is underway. “It is my understanding that it was personal data, that is regarding medications,” she said, noting the ministry has forwarded the information to the privacy commissioner.
Full Story

DATA PROTECTION

Commissioner’s Report Calls For Enhanced Enforcement (September 7, 2012)

Ontario’s privacy commissioner says that “even good privacy policies can be useless if they’re not followed,” The Canadian Press reports. In a new report, Commissioner Ann Cavoukian says organizations must enhance their understanding and enforcement of privacy policies in light of a privacy breach earlier this year at Elections Ontario. “If you don’t enforce your policy, it has no value,” Cavoukian said. “And don’t dare to assume that your frontline staff will know automatically how to implement a policy.”
Full Story

PRIVACY LAW—EU & U.S.

UN Internet Debate Set; Advocates Urge Strong EU Privacy Regs (September 6, 2012)
Debate about how the United Nations (UN) may govern the Internet will commence in Denmark next week, and EuropeanVoice reports that regulators, industry representatives and advocates are set for a robust discussion. Proposed rule changes could affect the UN International Telecommunications Union’s powers to enforce data protection and cybersecurity, the report states. Meanwhile, a group of consumer and privacy groups have sent the European Parliament a letter urging the EU to press forward on tough privacy rules under the proposed data protection regulation, saying “that the promotion of stronger privacy standards in Europe will benefit consumers around the globe.” Editor’s note: For more on this topic, see the article “Privacy worries surround UN Internet regulations” in the September edition of the IAPP’s Privacy Advisor newsletter. (IAPP member login required.) (Registration may be required to access this story.)