Canada Dashboard Digest

Are you sick of hearing about Heartbleed? If you are, you may want to skip some of the stories profiled in this week’s Dashboard Digest. If, however, you are like me, you might still be confused by the array of stories about the technical vulnerability, how it works and what damage it might have caused. I had to do a fair amount of self-study this week to prepare for an on-air interview with the CBC, and I must admit that the more I read about it, the more questions I had.

One thing is for sure: We work in an increasingly dynamic industry where things change faster than ever. What was once considered secure is actually not. Safeguards that you thought were good enough, aren't. I suppose that’s all the more reason the privacy professional needs tools like the Dashboard Digest—to try and stay on top of what’s going on.

With respect to the Heartbleed saga, we felt that you deserved even more opportunity to learn about it, so we have added a session to this year’s Symposium that promises to educate privacy professionals on exactly what they need to know about the vulnerability. I hope you can make it to Toronto if you're keen to learn more.

Somewhat overshadowed by Heartbleed were two rather significant decisions from Commissioners Denham and Cavoukian. Read on to learn more because these, too, are important events. 

Have a great weekend, and happy (Easter egg) hunting!

Kris Klein
Managing Director
IAPP Canada

Top Canadian Privacy News

ONLINE PRIVACY

Yahoo To Ignore Default DNT Settings (October 31, 2012)

Yahoo has announced that it will ignore Internet Explorer 10’s default do-not-track (DNT) settings, InformationWeek reports, indicating the setting “ignores the wishes of its users.” The browser will continue to offer its Ad Interest Manager, which allows users to make choices about the online ads targeted to them, and other tools. “Ultimately, we believe that DNT must map to user intent—not to the intent of one browser creator, plug-in writer or third-party software service,” Yahoo said in a statement.
Full Story

ONLINE PRIVACY—CANADA

Commissioner Releases Paper on Personal Data Ecosystem (October 31, 2012)

Information and Privacy Commissioner of Ontario Ann Cavoukian, with co-authors from Europe and the U.S., has released a paper, Privacy by Design and the Emerging Personal Data Ecosystem, that highlights new technologies enabling Internet users to have more control over their data. "Privacy is all about control,” Cavoukian says in a news release, adding, “that is why I am taken with the promise of the emerging Personal Data Ecosystem. New technologies…give individuals a central point of control for their personal information and the ability to decide what information to share, with whom and under what conditions.”
Full Story

TRAVELERS’ PRIVACY

Group Warns of Public Transit Privacy Concerns (October 30, 2012)

Privacy International is warning that public transportation companies voluntarily share personal information about travelers with law enforcement agencies, IDG News Service reports. “Every single authority and company we have spoken to so far has shocking practices,” said a spokesman from Privacy International, which has polled 48 transport authorities and companies globally to ask how they handle personal information stored on public transportation cards. “The problem with smart cards is that they record a very fine grain of information,” the spokesman added, in some cases including bank details, e-mails, passwords and telephone numbers. While court orders are required in some countries, that is not the case for others.
Full Story 

PRIVACY LAW

Supreme Court Grants Leave to Appeal (October 26, 2012)

The Supreme Court of Canada has granted leave to appeal in a case involving the Information and Privacy Commissioner of Alberta, according to the Canadian Privacy Law Blog. In June, Commissioner Jill Clayton challenged an Alberta Court of Appeal ruling that deemed the province’s privacy law unconstitutional. The case stems from a 2006 incident that saw a workers’ union threaten to publish video of picket-line crossers. Clayton ruled that their privacy had been compromised, but the Alberta Court of Appeal decided the laws contravene the Charter of Rights and Freedoms. The Supreme Court will now hear the case.
Full Story

PRIVACY LAW

Appeals Court Decides on Use of ISP Subscriber Info (October 26, 2012)

Two recent cases in the Ontario Court of Appeal addressed the practice of police using information obtained from Internet service providers (ISPs) to get search warrants—a practice that has been challenged as unconstitutional. In this dispatch for The Privacy Advisor, John Jager, CIPP/US, CIPP/G, CIPP/C, reports that the court upheld the trial judge’s opinion that the appellant had no reasonable expectation of privacy, but “was careful to note that this decision does not suggest that disclosure of customer information by an ISP can never infringe the customer’s reasonable expectation of privacy.”
Full Story

HEALTHCARE PRIVACY

Sixth Person Fired in BC Health Data Breach (October 26, 2012)

A sixth person has been fired in relation to a BC health data breach, The Vancouver Sun reports. The workers were fired as part of an investigation following allegations they inappropriately shared health data with third-party drug researchers. As a result of the breach, the government has halted all data sharing with drug researchers. Meanwhile, one of the workers implicated has filed a defamation lawsuit.
Full Story

MOBILE PRIVACY

Commissioners Issues Guidance for App Developers (October 26, 2012)

The Offices of the Privacy Commissioner of Canada and the Information and Privacy Commissioners of Alberta and British Columbia have issued new guidance to help app developers “set themselves apart by making user privacy central in their design process,” OurHometown.ca reports. “Canadians shouldn’t have to choose between sacrificing their privacy and benefitting from the next new mobile app,” said federal Privacy Commissioner Jennifer Stoddart. “Our guidance shows developers how they can meet their legal obligations to respect individual privacy while allaying consumer fears.” The guidance was released at the 34th International Conference of Data Protection and Privacy Commissioners in Uruguay and guides developers on transparency, data collection and user consent, among other topics.
Full Story

TRAVELLERS’ PRIVACY

New Rules for Visitors Raise Concerns (October 26, 2012)

New rules may require visa-exempt visitors to Canada to disclose personal information such as drug use and medical conditions, and some are concerned that because the rules are lumped into the federal budget bill, the plan may not get the scrutiny it should, reports Postmedia News. The Electronic Travel Authorization is part of the Beyond the Border security deal with the U.S. and aims to confirm the legitimacy of visa-exempt travellers, speed their passage and reduce costs. Critics say this and other plans under Beyond the Border bring sovereignty and privacy concerns.
Full Story

FINANCIAL PRIVACY

Breach Report: 174 Million Records Compromised in 2011 (October 25, 2012)

According to Verizon’s Data Breach Investigations Report, 174 million records were compromised in 855 data breach incidents in 2011, Out-Law.com reports. Calling it “an all-time low” for data breach protection, the report revealed that 96 percent of organizations required to follow the Payment Card Industry Data Security Standard (PCI DSS) that experienced a breach—according to Verizon’s “caseload”—were not compliant with PCI DSS. The Verizon report stated, “We are seeing a continuing trend whereby more of the organizations that fall in the 96-percent tend to be on the small side,” adding, “In many cases, these organizations have either failed to perform their assessments or failed to meet one or more of the requirements.”
Full Story

PRIVACY

FPF Announces Privacy Papers for Policy Makers 2012 (October 25, 2012)

The Future of Privacy Forum (FPF) has announced this year’s selections for its Privacy Papers for Policy Makers. Of the more than 35 entries, eight were selected. The papers cover topics such as Privacy by Design, online behavioral advertising, mobile privacy, government surveillance, de-identification and social networking. FPF Founder and Co-chair Christopher Wolf said, “Improving privacy protection is vitally important in this technology age, so we are delighted to help build a bridge of communication between privacy scholars and privacy policy makers.” FPF Director and Co-chair Jules Polonetsky, CIPP/US, said, “These writings offer some of the most compelling and innovative viewpoints that we hope policy makers consider as they look to address privacy issues.”
Full Story

SURVEILLANCE

UN Wants “Anti-Terror” Internet Surveillance (October 23, 2012)

The United Nations (UN) has released a report calling for more surveillance of Internet traffic and users for the purpose of undermining terrorist activity, CNET News reports. “The Use of the Internet for Terrorist Purposes” states, “One of the major problems confronting all law enforcement agencies is the lack of an internationally agreed framework for retention of data held by ISPs.” The 148-page report notes that terrorists use social networks to spread propaganda. UN Executive Director Yury Fedotov said, “Potential terrorists use advanced communications technology, often involving the Internet, to reach a worldwide audience with relative anonymity and at a low cost.”
Full Story

PRIVACY LAW—CANADA

Supreme Court: Employees Have Computer Privacy Rights (October 22, 2012)
The Supreme Court of Canada has ruled that employees have some privacy rights over workplace computers and that computers should not be searched by law enforcement without a warrant, the Toronto Star reports. In the 6-1 ruling, the court wrote, “Computers that are reasonably used for personal purposes—whether found in the workplace or the home—contain information that is meaningful, intimate and touching on the user’s biographical core.” The author of the ruling, Justice Morris Fish, added, “Canadians may therefore reasonably expect privacy in the information contained on these computers, at least where personal use is permitted or reasonably expected.”

ONLINE PRIVACY

Microsoft Alters Its Privacy Rules (October 22, 2012)

The New York Times reports on a new policy implemented by Microsoft allowing it “broad leeway” over how it collects and processes information from consumers using its free, web-based services. Unlike Google’s policy changes earlier this year, “Almost no one noticed” Microsoft’s change, the report states, adding, “The difference in the two events illustrates the confusion surrounding Internet consumer privacy.” Consumer Watchdog’s John Simpson said, “What Microsoft is doing is no different from what Google did,” adding, “It allows the combination of data across services in ways a user wouldn’t reasonably expect.” A Microsoft spokesman said, “one thing we don’t do is use the content of our customers’ private communications and documents to create targeted advertising.” (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY

BC Health Ministry Fires Four, Suspends Three (October 19, 2012)

The government of British Columbia has fired four employees and suspended three others after allegations that the workers inappropriately shared health data with third-party drug researchers, SC Magazine reports. The shared information in question included medication data that was not intended for research purposes. The ministry has halted all data sharing with drug and evidence development researchers, and an independent consultant will audit the ministry’s data security measures, the report states.
Full Story

PRIVACY LAW

OPC Can’t Endorse “Specific Recommendations” (October 19, 2012)

In a letter to the head of the French data protection authority—the CNIL—Canadian Privacy Commissioner Jennifer Stoddart commends that agency for its leadership in reviewing, on behalf of Europe’s Article 29 Working Party (WP29), Google’s recently revised privacy policy, and clarifies that the Office of the Privacy Commissioner cannot endorse the “specific recommendations” of the WP29 but shares certain concerns and echoes the CNIL’s encouragement for the company to “consult with data protection authorities before it implements any new initiatives or expands any current practices that may impact on the privacy rights of users.”
Full Story

HEALTHCARE PRIVACY

Individual Charged With Violating Alberta HIA (October 19, 2012)

The Office of the Information and Privacy Commissioner of Alberta has levied 34 charges against an individual under the Health Information Act. Charges include improperly accessing the health data of other individuals; inappropriate use of health information, and inappropriate disclosure of health information. If found guilty, the individual could face a maximum penalty of $50,000 for each charge.
Full Story

DATA LOSS

Stolen Laptop Contained PII of 2,000 Students (October 19, 2012)

The Calgary Board of Education (CBE) has notified police and the Alberta privacy commissioner after an employee’s laptop containing student report cards was stolen, the Calgary Herald reports. A CBE spokesman said the laptop is believed to have been password-protected. The laptop contained information of more than 2,000 students between kindergarten and grade 12 from 100 schools. The spokesman said the report cards included “the student’s name, their CBE identity number, their Alberta Education identity number, a student photo, as well as, obviously, all the comments that are on a report card from the teacher.”
Full Story

SOCIAL NETWORKING

Ring: Town Violated Privacy Law (October 19, 2012)

Newfoundland and Labrador Privacy Commissioner Ed Ring determined that the Town of La Scie violated the Access to Information and Protection of Privacy Act when an employee sent two individuals’ personal information to them via the employee’s personal Facebook account, reports The Nor’wester. The town argued against the violation, saying the employee sent the information in a method that did not expose it to anyone but the intended party; however, Ring disagreed, saying, “the town chose to use a less-than-secure means…when another, more-secure means was available.” Ring recommended the town consider privacy training for its employees, including the proper use of social media.
Full Story

MOBILE PRIVACY

Supreme Court Hears Appeal of Text Message Case (October 19, 2012)

The Supreme Court of Canada on Monday heard arguments in a case to determine whether a general warrant is sufficient for obtaining text messages from service providers, reports The Court. In Telus Communications Company v. Her Majesty the Queen, Telus argued that “the daily production of text messages constitutes the interception of private communications”—necessitating a wiretap authorization, while the crown argued a general warrant was valid because police were not intercepting but requiring reproduced stored text messages, the report states. The Ontario Superior Court previously ruled that because the communications were being produced after they had been sent and received, a general warrant was sufficient.
Full Story

ONLINE PRIVACY—CANADA & GERMANY

Authorities To Cooperate on Cross-Border Digital Privacy (October 16, 2012)

IDG News Service reports that German and Canadian data protection authorities have signed an agreement on protecting privacy in cross-border data transfers via the web. The countries will cooperate on specific cases and inform each other on privacy complaints. “Since personal data can be transferred to other countries and parts of the world with one mouse click, data protection agencies have to cooperate better internationally,” Canada’s Office of the Privacy Commissioner noted. Germany and Canada plan to discuss extending the plan to additional countries at the 34th International Conference of Data Protection and Privacy Commissioners in Uruguay later this month, the report states.
Full Story

SURVEILLANCE

Edmonton Police To Test Body-Worn Video (October 12, 2012)

Edmonton police have begun a yearlong pilot program to test audio and video recording devices that are small enough to be worn on uniforms, reports the Toronto Sun. The body-worn video recording systems were tested in Victoria, BC, in 2009 and were met with concerns about access and use of the recordings as well as the officers’ ability to turn the cameras on and off at will. Edmonton police are hearing similar concerns, and while Alberta’s privacy commissioner has been alerted to the plan, the office says it’s too soon to tell if there will be privacy concerns.
Full Story

SURVEILLANCE

Stoddart Questions Increased Cameras on Parliament Hill (October 12, 2012)

Privacy Commissioner Jennifer Stoddart is questioning a plan to install 134 surveillance cameras on Parliament Hill, adding to the 50 that are currently there, reports The Globe and Mail. The RCMP and House of Commons proposal would install the cameras as part of a government security overhaul. Stoddart’s report notes that a “deliberate decision” was made not to notify the public of the surveillance with signs. In an interview, Stoddart said, “Any of these massive surveillance programs are a real infringement on citizens’ rights and have not necessarily proven their worth.”
Full Story

DATA LOSS

Bar and Lounge Employees Warned of Possible Breach (October 12, 2012)

Following a break-in at the company’s head office this summer, Oil City Hospitality Group is warning hundreds of employees that their personal information has been “accessed and possibly compromised.” Employees who’ve worked at any of the company’s 11 locations are advised to take steps to protect their identity and credit, the Edmonton Journal reports. The group’s director of operations says there’s no evidence that the information—which included social insurance numbers and birth dates—has been used nefariously. “We don’t know if anything has been taken for sure, but we’re erring on the side of caution,” he said.
Full Story

INFORMATION ACCESS

Gov’t To Establish Online Access-to-Information Portal (October 12, 2012)

The Globe and Mail reports on government plans for a pilot project to launch early next year that will allow citizens to request internal documents under the Access to Information Act via the Internet. At the start, the initiative would involve three departments but would later expand to include most federal agencies. Mexico has a similar portal, and the U.S. recently established its own.
Full Story

PRIVACY LAW

Opinion: Bill C-30 Is Dead in the Water (October 12, 2012)

In an opinion piece for The Globe and Mail, John Ibbitson discusses Bill C-30, which once drew widespread opposition from federal and provincial privacy commissioners and some members of Parliament. In a May column this year, Ibbitson called the bill, which would have required ISPs to hand over identifying information about users, “dead in the water.” Now Ibbitson says the bill is “not just dead in the water—it’s at the bottom of the sea.” The bill was to be referred to a parliamentary committee, but Conservative House Leader Peter Van Loan says when he inquires about the bill, he gets the same answer back, “which is a non-answer.”
Full Story

ONLINE PRIVACY

Officials, DAA and Microsoft Battle Over DNT (October 11, 2012)

The Digital Advertising Alliance (DAA) has responded to Microsoft’s new default-on do-not-track (DNT) browser, saying it is not an appropriate standard for customers, reports The Next Web. But Sens. Joe Barton (R-TX) and Edward Markey (D-MA) say the DAA is putting “profits over privacy.” Microsoft is holding its ground, citing a study of its customers that showed 75 percent want the company to turn DNT on for them. Meanwhile, EU Digital Agenda Commissioner Neelie Kroes is voicing her concern about the delay and the “turn taken” in the discussions at the World Wide Web Consortium, which missed a June deadline to come up with a better system for DNT.
Full Story

ONLINE PRIVACY

Exploring the Privacy of Private Messages (October 5, 2012)

The Wall Street Journal reports on a recent online video allegedly showing that Facebook scans links sent via private messages and registers them as though the user “likes” the page sent. “It’s just one example of how online messages that seem private are often actually examined by computers for data,” the report states, adding, “it is not clear from Facebook’s data use policy that regular users would expect links in their messages to be scanned this way.” Facebook has responded that “absolutely no private information has been exposed,” and users’ privacy settings were not affected. (Registration may be required to access this story.)
Full Story

SURVEILLANCE

Stoddart’s Annual Report Raises Surveillance, Disposal Concerns (October 5, 2012)

A proposal set forth by the Royal Canadian Mounted Police and House of Commons to more than double the number of video cameras on Parliament Hill has raised concerns from federal Privacy Commissioner Jennifer Stoddart, The Canadian Press reports. “We were concerned about the scope of the project and its potential impact on the privacy rights of parliamentarians, parliamentary staff, guests and visitors to Parliament Hill,” Stoddart’s annual report states. “According to the preliminary (privacy impact assessment), a deliberate decision was made to not post signs notifying individuals of video surveillance on Parliament Hill.” Meanwhile, Stoddart’s report has also raised concerns about the way Veterans Affairs disposes of documents containing sensitive personal information.
Full Story

EMPLOYEE PRIVACY

OPC Receives Formal Complaint Over Gov’t Questionnaire (October 5, 2012)

Canada.com reports that the Office of the Privacy Commissioner (OPC) has received a formal complaint about a controversial questionnaire distributed to current and prospective border officers. OPC Spokeswoman Anne-Marie Hayden said the agency is “looking at investigating” the subject. Aimed at determining an individual’s suitability for employment, the questionnaire asks about substance abuse and other potentially invasive queries, the report states. Customs and Immigration Union Vice President Jason McMichael said of the questionnaire, “Our lawyers believe that it’s outside of privacy legislation,” adding, “Certainly, in our mind, it compromises basic civil liberties.”
Full Story

ONLINE PRIVACY

Lawsuit Alleges Gmail Scanning Violates Privacy (October 5, 2012)

A lawsuit filed in BC Supreme Court alleges Google gathered information sent to and from Gmail accounts, The Vancouver Sun reports. The lawsuit seeks class-action status and could potentially include “anyone in the province who has ever sent an e-mail to a Gmail account,” the report states. The suit alleges Google intercepts and collects personal information from e-mails sent to Gmail users in order to sell targeted advertising opportunities to third parties. Google says it has no comment on the allegations at this time.
Full Story

PRIVACY LAW

Appeals Court Rules on Internet Case (October 5, 2012)

The Ontario Court of Appeal on Tuesday upheld the conviction of a man who claimed his privacy was violated when his Internet service provider released his name and address to police, The Ottawa Citizen reports. The man was later convicted of child pornography offences, the report states. The court said, “The appellant’s name and address was not the kind of information that would reveal intimate personal details or lifestyle choices.” According to the report, “The ruling is significant because it’s the first time the province’s top court has weighed in on whether a computer user has a reasonable expectation of privacy when accessing the Internet.”
Full Story

INFORMATION ACCESS

New Brunswick Gets “F” for Disclosures (October 5, 2012)

A Newspapers Canada audit gives the New Brunswick government a grade of “F” for its response to freedom of information requests, CBC News reports. The province received a “C” for the speed of its responses. Information and Privacy Commissioner Anne Bertrand expressed disappointment with the findings, which were released this week in the 2012 Freedom of Information Audit report. “It’s quite surprising in 2012 that some governments would approach this way of governing in secrecy or behind closed doors.”
Full Story

PRIVACY EDUCATION

OPC Offering $50,000 for Privacy Research Projects (October 5, 2012)

The Office of the Privacy Commissioner of Canada (OPC) has launched its 2013-2014 Contributions Program, which offers up to $50,000 in funding for initiatives aimed at advancing privacy knowledge in the private sector, IT Business Canada reports. Privacy research projects that fall under the Personal Information Protection and Electronic Documents Act will be eligible for the funding. The four priority areas highlighted by the OPC are identity integrity and privacy; IT and privacy; genetic information and privacy, and public safety and privacy. Applicants have until November 30 to submit proposals.
Full Story

INFORMATION ACCESS

FOI Group Appeals Denial of BC Health Contracts (October 5, 2012)

The BC Freedom of Information and Privacy Association is appealing the government’s refusal to comply with the group’s freedom of information request to hand over BC Health Ministry data-sharing contracts, e-mails and staff memos, reports The Victoria Times Colonist. The ministry is being investigated for inappropriate conduct, data management practices and contracting, and recently fired five employees in relation to a data breach. The association’s executive director wants the case to “go to a hearing” so “the burden is on the (Health) Ministry to show (why) these exceptions apply."
Full Story

SOCIAL NETWORKING

Facebook Launches New Help Center, Faces Criticism for Targeted Ads (October 3, 2012)

Facebook has redesigned its help center and dashboard to help users understand privacy settings, The Washington Post reports. Launched Tuesday, the center aims to help users manage their privacy settings and read about changes to the site, the report states. Meanwhile, the French data protection authority has said Facebook users’ privacy was not breached last week following concerns that private messages were being posted on public profiles. The site continues to face criticism for allowing marketers to target ads to consumers based on their web browsing activities or the phone and e-mail addresses they’ve listed on their profiles. (Registration may be required to access this story.)
Full Story