Canada Dashboard Digest

Are you sick of hearing about Heartbleed? If you are, you may want to skip some of the stories profiled in this week’s Dashboard Digest. If, however, you are like me, you might still be confused by the array of stories about the technical vulnerability, how it works and what damage it might have caused. I had to do a fair amount of self-study this week to prepare for an on-air interview with the CBC, and I must admit that the more I read about it, the more questions I had.

One thing is for sure: We work in an increasingly dynamic industry where things change faster than ever. What was once considered secure is actually not. Safeguards that you thought were good enough, aren't. I suppose that’s all the more reason the privacy professional needs tools like the Dashboard Digest—to try and stay on top of what’s going on.

With respect to the Heartbleed saga, we felt that you deserved even more opportunity to learn about it, so we have added a session to this year’s Symposium that promises to educate privacy professionals on exactly what they need to know about the vulnerability. I hope you can make it to Toronto if you're keen to learn more.

Somewhat overshadowed by Heartbleed were two rather significant decisions from Commissioners Denham and Cavoukian. Read on to learn more because these, too, are important events. 

Have a great weekend, and happy (Easter egg) hunting!

Kris Klein
Managing Director
IAPP Canada

Top Canadian Privacy News

DATA PROTECTION

Veterans Affairs Minister: Veteran’s Privacy Is Vital (November 30, 2012)

In a column for the Ottawa Citizen, Minister of Veterans Affairs Steven Blaney writes, “Our government has been very clear on the fact that we take privacy matters and the privacy of veterans extremely seriously,” and through initiatives such as the 10-point Privacy Action Plan and the Privacy Action Plan 2.0, “we are greatly strengthening privacy protection and building a culture of increased respect and care for veterans’ privacy within the department.” Blaney adds that “as a further indicator of how seriously we take privacy matters,” the department has implemented a “privacy respect and compliance component” for staff eligible for performance pay or bonuses.
Full Story

ONLINE PRIVACY

UN Deep Packet Inspection Standards Raise Concerns (November 30, 2012)

The United Nations’ International Telecommunications Union has approved a deep packet inspection (DPI) standard that is raising privacy and security concerns, IDG News Service reports. The Center for Democracy & Technology’s (CDT) website says the standard—known as the “Requirements for Deep Packet Inspection in Next Generation Networks,” or Y.2770”—“could give governments and companies the ability to sift through all of an Internet user’s traffic—including e-mails, banking transactions and voice calls—without adequate privacy safeguards.” CDT Chief Computer Scientist Alissa Cooper said, “There is a general lack of attention to design considerations we think are important to Internet users, namely privacy and security. Obviously DPI has the potential to be an extremely invasive technology."
Full Story

DATA PROTECTION

Elections Ontario To Adopt Staff Privacy Training, CPO (November 30, 2012)

In response to a privacy breach earlier this year, Elections Ontario is in the process of implementing a corporate-wide privacy training program and appointing a chief privacy officer, the Toronto Sun reports. The recommendations being adopted were submitted by privacy experts, the report states.
Full Story

CONSUMER PRIVACY

Rental Car Firm Retaining Driver’s Licence Info (November 30, 2012)

One month after Alberta Privacy Commissioner Jill Clayton ordered a rental car company to cease retaining photocopied driver’s licence images of its customers, the company continues the practice, CBC News reports. “For us, it’s strictly protection of our asset,” a company representative said, adding that the photocopy is destroyed after the vehicle is returned. The privacy commissioner has said the company does not need the data in the first place and will have until mid-December to comply, the report states.
Full Story

PRIVACY LAW

Law Prevents Adequate Driver Checks, Says Taxi Co. (November 30, 2012)

A St. John’s-based taxi company has said that provincial privacy law is preventing it from accurately checking employees’ driving history, CBC News reports. A company representative said his organization can mandate that drivers produce a certified driving record and ask drivers to update any changes to their record, but beyond that, provincial law prevents the company from further investigation, the report states. “They don’t give us the power to phone in motor vehicles and ask for a particular person’s driver’s licence, if it expired or not,” the representative said.
Full Story

ONLINE PRIVACY

New W3C Mediator Looks To Salvage DNT Process (November 29, 2012)

The New York Times reports on the “acrimonious discussions” within the World Wide Web Consortium’s (W3C) effort to work out a global Do-Not-Track standard and the difficult task facing newly appointed W3C Co-Chair Peter Swire, CIPP/US. “People can choose not to have telemarketers call them during dinner. The simple idea is that users should have a choice over how their Internet browsing works as well,” Swire said, adding, “The overarching theme is how to give users choice about their Internet experience while also funding a useful Internet.” (Registration may be required to access this story.)
Full Story

CLOUD COMPUTING—CANADA

Laws Expose Firms to Class-Action Risks (November 28, 2012)

Financial Post reports on lawyers’ assertions that the rapid development of privacy laws in Canada—while private- and public-sector businesses increasingly store customer data in the cloud—could lead to an influx of class-action lawsuits for data losses. Under anti-spam legislation and the recently established common law tort, plaintiffs have a “tremendous ability” to bring claims without proving harm, said Alex Cameron, an attorney at Toronto’s Fasken Martineau DuMoulin. “Over the past two years, Canada has seen a number of developments which point to a great increase in class-action activity for privacy-related issues,” he said. Federal privacy legislation holds businesses responsible for information processed by a third-party, the report states.
Full Story

EMPLOYEE PRIVACY—CANADA

Drug Testing Vs. Privacy To Be Weighed in Courts (November 27, 2012)

Cases involving employer drug testing and employee privacy are set for hearings in two Canadian courts, the Calgary Herald reports. Next week, the Alberta Court of Appeal will hear from an energy company that is arguing against an injunction preventing the company from implementing random drug testing of employees. Next month, the Supreme Court of Canada will hear a case involving a company’s plans to have employees submit to mandatory breathalyzer tests. Both companies argue the testing improves job safety, but others argue it infringes on employees’ right to privacy. “Unlike the United States…Canada has had little experience with randomly administered on-the-job tests,” the report states. “But that could be about to change.”
Full Story

ONLINE PRIVACY

Surveys Find Consumers Worried About Privacy, External Hacks Increased (November 21, 2012)

A new report from Advertising Standards Canada (ASC) has found that Canadians are worried about their personal privacy and marketers “should take action” to ensure responsible data collection and use, The Globe and Mail reports. After questioning 1,000 Canadians online, ASC is recommending a four-step process for marketers to gain consumer trust, including giving consumers control, choice, commitment and compensation regarding their data. Meanwhile, an Ernst & Young survey has found that 77 percent of global respondents have experienced at least one external attack on their information systems within the last year. That’s up from 72 percent in 2011 and 41 percent in 2009.
Full Story

CLOUD COMPUTING

Cloud Storage Can Complicate Lawful Compliance (November 21, 2012)

Financial Post reports on concerns involving cloud computing and the transfer of personal information, particularly when the data lands in jurisdictions outside of Canada. “There may be situations where the government authorities, courts, administrative bodies wherever the server is located, may have more access or different access to your data than you would expect here in Canada,” said Mark Hayes of law firm Heydary Hayes PC. The Office of the Privacy Commissioner of Canada says companies should take precautions when transferring data by signing contracts with third-party processors.
Full Story

ONLINE PRIVACY

Group Working on Privacy Policy Iconography (November 20, 2012)

A group of lawyers, coders and industry representatives have begun an experiment to make privacy policies “more palatable” to online users, The New York Times reports. The goal is to comb through the privacy policies of 1,000 websites and assign corresponding icons to educate users on how a website uses, shares and retains personal information. Mozilla Chief Privacy Officer Alex Fowler, whose firm is housing the experiment, said, “We are in a model now where no one reads privacy policies…Does icon-ifying them make it of interest to the user? We have a ways to go.” (Registration may be required to access this story.)
Full Story

TRAVELERS’ PRIVACY—CANADA

Commissioner Calls For Answers on Mini-Visas (November 20, 2012)

Privacy Commissioner Jennifer Stoddart is raising concerns about a new mini-visa that will require some visitors to Canada to disclose personal information that may include details about their mental health status and drug use, Canada.com reports. Stoddart has called on the government to ensure that details of the Electronic Travel Authorization (eTA), part of Canada’s Beyond the Border security deal with the U.S., are lawful. “One of my office’s concerns about the eTA program is its lack of transparency and the degree to which the details of the program are deferred to regulation,” she said, adding questions on data use, retention and government sharing have not yet been addressed.
Full Story

SURVEILLANCE—CANADA

Denham Wants Changes to Licence-Plate Scanning Plan (November 16, 2012)

BC Privacy Commissioner Elizabeth Denham has said police need to make changes to their Automatic Licence Plate Recognition (ALPR) program in order to comply with privacy laws, reports The Globe and Mail. ALPR uses cameras mounted on police vehicles to scan licence plates and flags drivers who have or have had infractions. Denham’s main concern is that, currently, “non-hit” data—that which doesn’t raise a flag—is added to a database and eventually deleted. “Non-hit data is…information that the police have no reason to believe relates to criminal activity. This information is not serving a law enforcement purpose, and therefore (Victoria police) cannot disclose it to the RCMP,” Denham wrote in her report.
Full Story

FINANCIAL PRIVACY

Call for Scrutiny of Electronic Transfers Raises Concerns (November 16, 2012)

The Canadian Press reports on the Strategic Alliance Group, which includes law enforcement officials from Canada, the U.S., UK, Australia and New Zealand; its considerations of “greater intelligence-sharing as a means of combating transnational organized crime,” and the privacy questions expressed by Privacy Commissioner Jennifer Stoddart. Stoddart’s concerns include giving “the federal anti-money laundering agency broader powers to scrutinize electronic funds transfers,” the report states, as “that would mean examining large numbers of harmless transactions—such as money transferred by parents to children studying abroad.”
Full Story

ONLINE PRIVACY

Bill C-30 Debate Continues (November 16, 2012)

The federal privacy commissioner as well as commissioners from BC, Ontario and Alberta continue to debate Chief Constable of the Vancouver Police Jim Chu over the problems and merits of Bill C-30 through letters and guest columns in Canadian newspapers. While Chu claims a letter from the provincial commissioners “is an excellent example of the misunderstanding and consequent misinformation being disseminated regarding Bill C-30,” the commissioners indicate Chu is underestimating the potential for subscriber data alone to create a “detailed personal profile of a personally identifiable individual.” Federal Privacy Commissioner Jennifer Stoddart writes, “It is true that law enforcement powers need to be modernized, but so too do the laws that ensure Canadians' privacy rights are fully respected.”
Full Story

PERSONAL PRIVACY

Dickson Offers Recommendations in Two Reports (November 16, 2012)

Saskatchewan Information and Privacy Commissioner Gary Dickson recently completed two investigations, reports The Regina Leader-Post. In one report, Dickson addressed a complaint from an SGI employee who said her information was accessed by coworkers when the insurance company processed her personal claim. Dickson recommended the company take steps to better protect employees’ information when they make a personal claim for compensation and determined the company could not use information in the claim for return-to-work planning without the employee’s consent. In another report, Dickson said a lack of clear mail-handling policies at the Workers’ Compensation Board contributed to personal information being sent to the wrong people.
Full Story

PRIVACY—CANADA

Veterans Call For Inquiry Into Complaints (November 15, 2012)

The Canadian Press reports on veterans’ calls for inquiries into complaints of alleged privacy violations. After the veterans ombudsman received nine complaints in the last five years, seven of which were referred to the privacy commissioner, Veterans Harold Leduc and Tom Hoppe are calling for investigations by both the ombudsman and Privacy Commissioner Jennifer Stoddart on their filed complaints. A citizens’ group has demanded a public inquiry, alleging that privacy violations at Veterans Affairs targeted advocates.
Full Story

PRIVACY

DPAs Discuss Self-Regulation, Cross-Border Rules (November 15, 2012)

Hogan Lovells’ Christopher Wolf reports for The Privacy Advisor on the recent gathering of privacy authorities and professionals at the 34th International Conference of Data Protection and Privacy Commissioners in Uruguay. While Article 29 Working Party Chair Jacob Kohnstamm announced that future conferences will consist of private meetings between data protection authorities unless the conference’s host country decides otherwise, Wolf says the conference’s public sessions are very useful, including the “informal interactions in the hallways and at meals among the public and official participants.” The conference saw discussions about APEC’s Cross-Border Privacy Rules, self-regulation versus formal regulations and the proposed EU Data Protection Regulation, among other topics.
Full Story

ONLINE PRIVACY

Government Requests for Online Data Increase (November 14, 2012)

Google has released its sixth Transparency Report since 2009 outlining requests from government agencies and others to access data and remove content. BBC News reports that in the first six months of 2012, governments across the globe have made almost 21,000 requests to access data held by Google. The U.S. government made the most requests, totaling 7,969, with Turkey leading the requests for content removal at 501 requests. "This is the sixth time we've released this data, and one trend has become clear: Government surveillance is on the rise," Google said in a blog post. "Our hope is that over time, more data will bolster public debate about how we can best keep the Internet free and open."
Full Story

BEHAVIORAL TARGETING

Study Examines Marketing and Privacy (November 14, 2012)

The Edelman Privacy Risk Index, produced with The Ponemon Institute, has found that 60 percent of 6,400 marketing executives from 20 countries believe “their companies don't consider privacy a priority, and more than half don't believe that a data breach would adversely affect their corporate reputations,” Direct Marketing News reports. Edelman found, however, that “eight in 10 consumers would leave banking institutions that accessed their personal information without permission,” the report states. Larry Ponemon, CIPP/US, suggests that while most direct marketers do respect privacy, marketers should identify their customers who are most concerned about privacy “and make it very easy for them to opt in or out of communications.”
Full Story

EMPLOYEE PRIVACY—CANADA

Exploring Workplace Privacy Expectations (November 9, 2012)

In a report for MACLEANS.CA, Jesse Brown explores the implications of a recent Supreme Court of Canada ruling on employee privacy rights. Brown points out that Canadians can now “expect some degree of privacy when using workplace computer gear” but notes that employers can still legally check an employee’s browser history on work devices. “The court’s point,” Brown writes, “is that each case must be considered individually and that privacy is not something that Canadians automatically and completely surrender just by showing up to work.” The case is expected to be cited in many future lawsuits, he adds.
Full Story

ONLINE PRIVACY

OPC Releases Videogame Privacy Guidelines (November 9, 2012)

Privacy Commissioner Jennifer Stoddart has issued a set of guidelines aimed at protecting the privacy of videogame users, TECHVIBES reports. “As gaming consoles are now onramps to the Internet, we need to recognize that, like anything else that brings together personal information and connectivity, there are privacy issues at play,” said Stoddart, adding, “Interactive gaming accounts are increasingly becoming linked to social networks, while videogames are also avenues for advertisers to youth.” Stoddart recommends users create strong passwords, regularly check their credit card statements and examine the associated privacy policies.
Full Story

ONLINE PRIVACY

Google Releases Chrome with Improved Privacy Controls (November 8, 2012)

Google has updated its browser to Chrome 23, which includes easier access to privacy controls such as the ability to delete cookies and block sites from tracking users online, reports Webmonkey. “The new drop-down menu also has options to control a website’s permissions for features like geolocation, pop-ups, plugins, fullscreen mode, camera/microphone access and more,” the report states. While these features have been available on past versions of Chrome, the interface has been moved from three levels deep to a drop-down menu next to the URL. Chrome is the last browser to provide support for Do Not Track, and like many others, it is activated on an opt-in basis, the report states.
Full Story

ONLINE PRIVACY—CANADA

Police Chief, Commissioners Disagree on Bill C-30 (November 8, 2012)

Federal and provincial privacy commissioners have responded to a police chief’s column backing the Protecting Children from Internet Predators Act, or Bill C-30. Vancouver Police Department Chief Constable Jim Chu argues the bill will both respect privacy and improve Canadians’ safety. In response, Federal Privacy Commissioner Jennifer Stoddart said the bill “must be amended to respect privacy rights.” Provincial privacy commissioners from Alberta, British Columbia and Ontario also wrote a joint response to Chu’s column. They wrote, “New surveillance powers must not come at the expense of our right to privacy.” Meanwhile, a columnist opines that the newly proposed Safeguarding Canadians’ Personal Information Act will erode online privacy.
Full Story

PRIVACY LAW—CANADA

Privacy Commissioner: Union Accountability Bill “Highly Disproportionate” (November 8, 2012)

Privacy Commissioner Jennifer Stoddart has told a parliamentary committee that despite amendments to Bill C-377, it raises “serious privacy concerns,” Toronto Sun reports. The bill aims to achieve greater accountability from unions on budgets, executive salaries and political activities, among other topics. Stoddart said the bill would require names, salaries and other financial details to be disclosed, calling such action a “significant privacy intrusion” that “seems highly disproportionate.” Meanwhile, the Supreme Court of Canada has granted leave to appeal in a case involving union picketers that would clarify the application of Alberta’s Personal Information Protection Act.
Full Story

ONLINE PRIVACY

App Developers Overlooking Privacy (November 8, 2012)

App developers may be overlooking established rules around privacy, Financial Post reports. A September report by the Pew Research Center found that more than half of app users have decided not to install or have uninstalled an app when they realized the personal information it would collect. Canadian privacy commissioners recently released guidance for app developers predicting “increased scrutiny” of apps’ privacy policies moving forward. “It is very difficult for startups to navigate around privacy rules,” said one expert. “I think a lot of startups end up not worrying about it, in the idea that they will have to deal with it if they become as successful as Facebook.”
Full Story

SOCIAL NETWORKING

Facebook Releases Privacy Tool for New Users (November 5, 2012)

The Washington Post reports on Facebook’s rollout of a tool for new users. The tool, which is in part a result of talks with the Irish data protection authority (DPA) following its audits of the company, “gives users specific instructions on Facebook’s default settings, sharing permissions, policies on data access, rules about apps, games and third-party websites, advertisements, photo tags and the way the site finds fiends and connections for new users,” the report states. Facebook Chief Privacy Officer Erin Egan said in a statement that the company is committed to helping users understand their online sharing options and thanked the Irish DPA for its work. (Registration may be required to access this story.)
Full Story

PRIVACY LAW

Police Push for Surveillance, Data-Sharing Legislation (November 2, 2012)

Police chiefs across the country are pushing for controversial Internet surveillance legislation in the name of investigations involving cyber and cell phone technology, The Canadian Press reports. The Canadian Association of Chiefs of Police says such investigations are being hampered by antiquated laws and wants Bill C-30 back on Parliament’s agenda, though privacy concerns halted its progress earlier this year. Police say requiring Internet providers to share information on subscribers would allow for better crime-solving and would help thwart cases such as cyberbullying. Meanwhile, Bill C-12, which would facilitate data sharing between online service providers and police, is expected to see a second reading debate soon.
Full Story

ONLINE PRIVACY—CANADA

Stoddart Pleased with Sites’ Progress on Compliance (November 2, 2012)

Canadian Privacy Commissioner Jennifer Stoddart says she’s pleased with the progress made by organizations flagged as raising privacy concerns, ITBusiness.ca reports. In September, Stoddart said some leading Canadian websites were inappropriately sharing users’ personal information with third parties. After investigating 25 shopping, travel and media sites, Stoddart wrote to 11 of them asking for changes in order to comply with Canadian privacy law. A Stoddart spokesperson said she’s “pleased that they appear to be taking this issue very seriously,” and the office is now analyzing their responses for continued discussions.
Full Story

CONSUMER PRIVACY

Woman Files Suit Over iPod (November 2, 2012)

A Surrey woman has filed a suit in British Columbia’s Supreme Court alleging Apple’s iOS4 operating system violates users’ privacy rights, The Vancouver Sun reports. Amanda Ladas says her iPod allows anyone with “moderate computer knowledge” to determine her location. The suit, which seeks class-action status, claims Apple has “violated the privacy and security rights” of Ladas and other potential plaintiffs and “has engaged in deceptive acts or practices” entitling plaintiffs to damages.
Full Story

ONLINE PRIVACY

Google Exec: Internet Evolves Too Fast for Regs (November 2, 2012)

The Canadian Press reports that a Canadian policy manager at Google, Colin McKay, told a House of Commons committee that the online world moves too fast to create regulations that will endure and that a more enforcement-focused system could curb open discussions between tech companies and regulators. "We would have to consider what the possible repercussions of having that open a discussion, in a system that's more heavily focused on enforcement, would have on how our products roll out and how the privacy commissioner interprets our actions," McKay said, adding, the two sides now engage in constructive dialogue and companies respond quickly to rulings.
Full Story

MOBILE PRIVACY

Study: Free Apps Present More Privacy Risks (November 1, 2012)

A new study reveals that free mobile apps are more likely to cause privacy and data security risks to users than paid apps, the San Jose Business Journal reports. According to a Jupiter Networks survey of 1.7 million Android apps, free mobile apps are 401 percent more likely to track location and 314 percent more likely to access users’ address books than paid apps. A Juniper representative said, “Companies, consumers and government employees who install these apps often do not understand with who and how they are sharing personal information,” adding, “Even though a list of permissions is presented when installing an app, most people don’t understand what they are agreeing to or have the proper information needed to make educated decisions about which apps to trust.”
Full Story