Canada Dashboard Digest

Many will have already heard the relatively big news this week: A new bill, S-4, was introduced in the Senate that will amend PIPEDA if it passes. I'm surprised it didn't actually get more news considering the fanfare when the government tabled it.

There is some skepticism about whether or not the government is serious this time around because it has introduced somewhat similar bills in the past only to let them die a slow and painful death. This new bill was introduced in the Senate, and some are speculating that this may have been done to try and get the bill passed quickly.

For sure, these amendments are a long time coming. Many of them are what I call “common-sense fixes." For example, getting the English and French versions of the law to jive with one another a bit better. Other more meaningful fixes are those that mirror the Alberta and British Columbia provisions dealing with employee personal information and business transactions.

The folks at the OPC are probably happy with the proposed amendments that will allow them to enter into compliance agreements with organizations. Essentially, these agreements will allow the OPC to monitor organizations for up to a year after the completion of an investigation to ensure that all recommendations are satisfactorily implemented.

Lastly, I think the codification of a breach notification scheme is a good thing, too. I don’t think this new scheme will have a significant impact because previous guidance from the federal commissioner has been clear that they expect notification to take place even without the codification in the law. So, I think most organizations have already been operating with this scheme in mind. But, getting clarity in any law is always a good thing, so I suppose it is in this case, too.

As far as the “new penalties” go, I again don’t think there’s too much to worry about. Before any penalty could be levied, a matter would have to be referred for criminal prosecution—something that probably won’t happen except in the most egregious cases. This is a far cry from the administrative monetary penalties that can be levied in some European jurisdictions directly by the data protection authority.

So, all in all, pretty good news for privacy in Canada—for some—this week. And when we also read that CRA employees were fired for privacy violations, perhaps privacy is something this government is realizing is a priority issue that people care about.

Kris Klein
Managing Director
IAPP Canada

Top Canadian Privacy News

DATA LOSS

Facebook’s White Hat Program Helped Uncover Glitch (June 28, 2013)

Facebook this week announced that a glitch exposed the personal information of six million users. In an interview with The Privacy Advisor, the company discusses how its White Hat program, which invites external security researchers to report vulnerabilities, in some cases for a monetary “bug bounty,” helped discover the problem and why it felt the need to report the breach.
Full Story

DATA LOSS

Stoddart: Better Reporting, Security, Tracking Needed (June 28, 2013)

Privacy Commissioner Jennifer Stoddart has called out “several federal departments for their lacklustre approach to data breaches, citing a need for better reporting, security and tracking protocols,” The Canadian Press reports, citing “a preliminary list of agencies with potentially worrisome patterns when it comes to the loss of Canadians’ personal information.” Those agencies include Citizenship and Immigration, Passport Canada, the Correctional Service, the RCMP, the Parole Board and Veterans Affairs, the report states. The comments relate to the report from the Office of the Privacy Commissioner to Parliament in April, which found that about 3,000 data breaches affecting approximately 725,000 Canadians occurred over the preceding 10 years.
Full Story

DATA PROTECTION

Denham Finds Health Ministry “Deficient” (June 28, 2013)

In a report released this week, BC Information and Privacy Commissioner Elizabeth Denham concluded the province’s Health Ministry had deficient procedures for protecting personal information “when it accused employees and contractors of a privacy breach,” the Times-Colonist reports. Denham’s report cites lack of management and control over access to personal health information among serious deficiencies in privacy practices. “It’s not good enough anymore to think about the kind of controls that would have worked in a paper environment. These are 1980s controls for 21st-century technology,” Denham said, adding, “I’m frustrated with finding these kinds of basic deficiencies.”
Full Story

PRIVACY LAW

Dickson: Saskatchewan Privacy Legislation Lagging (June 28, 2013)

The Star Phoenix reports on Saskatchewan Information and Privacy Commissioner Gary Dickson’s 10th and final annual report and his concerns that the province’s legislation “is seriously lagging behind that of its counterparts to the west.” Speaking to reporters earlier this week, Dickson said, “When it comes to access to information and privacy protection, Saskatchewan is still a have-not province. Saskatchewan residents do not have the same information rights that our neighbours in British Columbia and Alberta probably take for granted.” Dickson highlighted areas including privacy protections for private-sector employees, saying he needed to “send the clearest possible message” as there will be a new commissioner next April.
Full Story

PRIVACY BY DESIGN

How UI and UX Can KO Privacy (June 27, 2013)

At Navigate 2013, Will Dayable, co-director at Squareweave, and Jason Hong, associate professor at the Human Computer Interaction Institute at Carnegie Mellon, provoked the nearly 300 attendees into thinking about how UX (User Experience) and UI (User Interface) affect the way people experience and understand privacy. Is your privacy policy written and displayed with respect for your users?
Full Story

DATA PROTECTION

If Nine Of 10 Employees Breach Policies, How Is Privacy Possible? (June 27, 2013)

A survey taken over several years has found that out of 165,000 employees surveyed, 93 percent knowingly violate policies designed to prevent data breaches. Privacy professionals burn the midnight oil crafting policies in line with best practices. But such policies don't stand a chance at protecting consumer data if the employees charged with practicing model data-steward behavior could care less about doing so. So how can a company ensure that its people are complying with the policies it promises to practice? This exclusive for The Privacy Advisor discusses a few experts’ experiences with success.
Full Story

PRIVACY POLICIES

Using Virtual Assistants To Guide Privacy Settings (June 27, 2013)

To help navigate convoluted and complex privacy settings on commonly used websites, CNET News columnist Dan Farber proposes that virtual assistants, such as Siri and Google Now, can be effective tools to give users more control of their settings. Virtual assistant apps could also help educate users on how their data is being collected, processed and shared. “Instead of reading pages of text,” Farber suggests, “users could query a virtual assistant, which could walk them through their privacy settings.” As virtual assistants “gain more popularity, managing privacy and protecting your online persona will be more of a continuous, background process handled by an intelligent agent rather than a sometimes impenetrable chore.”
Full Story

MOBILE PRIVACY

Health Group Releases mHealth Study; Privacy in HTML5 Era (June 26, 2013)

A new study by a mobile health advocacy group states there is not a “one-size-fits-all” resolution for mobile privacy legislation, Thomson Reuters reports. The mHealth Alliance report, Patient Privacy in a Mobile World: A Framework To Address Privacy Law Issues in Mobile Health, also has provided a mobile privacy toolkit for using mobile health technology. The evolving nature of mobile technology “makes it difficult, and some may say ill-advised, to create rigid legal rules that may not fit future mHeath applications or worse that may hamper their development in the first place,” the study states. Meanwhile, CIO reports on how to ensure privacy in the age of HTML5.
Full Story

MOBILE PRIVACY

Balancing the Benefits and Risks of BYOD (June 26, 2013)

InfoWorld examines the bring-your-own-device (BYOD) trend and “the question of how to balance the benefits of a self-provisioned workforce against the risks of company assets walking out the door when workers are let go.” One chief technology officer cautions, “Mobile data is a big problem, so it's time to start compartmentalizing risks. This way, you can find a balance between the benefits of a (BYOD) workforce and the risks.” The report highlights steps organizations and their IT departments can take to protect vulnerable data in the event of employee layoffs or other departures. Tips include having a written BYOD policy, keeping data off local devices and doing sweeps regularly.
Full Story

HEALTHCARE PRIVACY

For Sale: Ingestible Computers To Monitor Your Health (June 25, 2013)

The New York Times reports on a new wave of prescription pills—ones that can e-mail your doctor after being swallowed. Ingestible computers in pill-form can now monitor health data and share it wirelessly with doctors. The pills stay intact throughout the intestinal tract and are powered through stomach acids. John Perry Barlow of the Electronic Frontier Foundation says such a pill has wonderful and terrible aspects. “The wonderful is that there are a great number of things you want to know about yourself on a continual basis…The terrible is that health insurance companies could know about the inner workings of your body.” (Registration may be required to access this story.)
Full Story

DATA LOSS

Facebook Announces Breach, Notifies Users (June 24, 2013)

Facebook last week announced a programming bug that exposed six million users’ e-mail addresses and telephone numbers, the company reported in a security note issued Friday. The glitch seems to be due to the site’s “download your information” tool, which the company says was immediately disabled upon detection of the problem. Regulators in the U.S., Canada and Europe were notified, as were affected users. “We currently have no evidence that this bug has been exploited maliciously, and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing,” Facebook said.
Full Story

EMPLOYEE PRIVACY—CANADA

Supreme Court Says No To Random Alcohol Testing (June 21, 2013)

The Supreme Court late last week ruled that companies cannot institute mandatory random alcohol testing of employees, Canada Newswire reports. “Random alcohol testing is a humiliating invasion of an individual’s privacy that has no proven impact on workplace safety,” said Dave Coles, president of the Communications, Energy and Paper Workers Union of Canada. Communications, Energy and Paperworkers Union of Canada, Local 30 vs. Irving Pulp & Paper, Limited stems from a 2006 policy by Irving that chose an employee randomly by a computer program. The employee showed a zero blood alcohol level but claimed the test was humiliating and unfair.
Full Story

DATA BREACH

CRA Employees “Repeatedly Violated” Laws (June 20, 2013)

Two Canada Revenue Agency (CRA) employees violated privacy laws repeatedly over multiple years, Postmedia News reports. “The CRA said the multiple violations didn’t require it to recoup any money as a result of the actions of the two employees,” the report states, and the CRA has put safeguards in place “to ensure that the taxpayers’ rights to privacy are protected” and reported the breaches to the Office of the Privacy Commissioner. A CRA spokeswoman said the agency “understands that prevention of security breaches, and early detection of breaches when they do occur, are key elements in protecting confidential taxpayer information.”
Full Story

SURVEILLANCE

Parliamentarian Calls for Debate; Prof. Files Complaint (June 20, 2013)

In response to the U.S. National Security Agency leaks and revelations of the Communications Security Establishment Canada program, NDP Digital Issues critic Charmaine Borg (Terrbonne-Blainville) has called for an emergency debate on law enforcement collection of citizens’ personal information, Northumberlandview.ca reports. “As parliamentarians, it is our responsibility to balance public safety and national security interests against the privacy rights of law-abiding Canadians,” she said. Meanwhile, a professor has filed a complaint with the privacy commissioner saying the Defence Department has violated privacy law by not publishing the latest personal information listings of the CSEC.
Full Story

INFORMATION ACCESS

Opinion: Road to FOIP Continues (June 20, 2013)

“How Saskatchewan has gone from being one of the innovators in freedom of information and privacy laws 20 years ago, to legislating a corporation's right to privacy this spring is a long and winding journey,” columnist Murray Mandryk writes for The Regina Leader-Post, suggesting “the recent unprecedented step towards declaring a corporation's ‘privacy interest’ in its dealings with government…is a step backwards.” As Saskatchewan Freedom of Information and Privacy (FOIP) Commissioner Gary Dickson comes to the end of his decade in the post, he is doing his best to drive home the importance of FOIP laws, Mandryk reports, noting Dickson has cautioned “some may misinterpret or take liberties with what ‘privacy interests’ of corporations really means.”
Full Story

ONLINE PRIVACY

W3C Moves Forward on June Draft; Group Launches Privacy Controls (June 20, 2013)

ZDNet reports on two developments in the Do-Not-Track initiative. First, those participating in a World Wide Web Consortium conference call agreed to accept a draft of the standard in an effort to work toward “Last Call,” when the proposal is brought for a vote. The draft is being dubbed the June Draft. Also, Mozilla has teamed up with Stanford’s Center for Internet Society to announce it is launching its own set of privacy controls on the web. Called a “Cookie Clearinghouse,” it will allow users to create and maintain “allow lists” and “block lists,” the report states.
Full Story

ONLINE PRIVACY

Officials Want Answers on Google Glass (June 19, 2013)
Privacy officials from six countries have written to Google CEO Larry Page requesting more information about Google’s wearable computer technology, Google Glass. Privacy commissioners in Canada, Australia, New Zealand, Mexico, Switzerland and Israel want to know how the information collected by the technology may be used, CNET News reports. “We would be very interested in hearing about the privacy implications of this new product and the steps you are taking to ensure that, as you move forward with Google Glass, individuals’ privacy rights are respected around the world,” the officials wrote.

HEALTHCARE PRIVACY—CANADA & U.S.

OCR Announces Prime Resolution Details (June 18, 2013)

The Office for Civil Rights (OCR) has posted the $275,000 data breach resolution agreement with Prime Healthcare and the findings from its investigation, HealthIT Security reports. The OCR found Prime’s Shasta Regional Medical Center “failed to safeguard patients’ protected health information (PHI) from impermissible disclosure by intentionally leaking PHI to multiple media outlets on at least three separate occasions without a valid written authorization,” the report states. The report also details the specific areas in which the OCR found Prime Healthcare to be negligent.
Full Story

GENETIC PRIVACY

DNA Samples May Be More Identifiable Than Thought (June 17, 2013)

The New York Times reports that while research subjects are often told that the DNA sample they’ve provided for the sake of science is not identifiable and their anonymity will be preserved, “geneticists nationwide have gotten a few rude awakenings, hints that research subjects could sometimes be identified by their DNA alone or even by the way their cells were using their DNA.” Such revelations are particularly concerning following the announcement that nearly 80 researchers want to combine the world’s DNA databases to make it easier for researchers to retrieve and share such data. Meanwhile, local law enforcement agencies across the U.S. have begun amassing their own DNA databases. (Registration may be required to access this story.)
Full Story

SURVEILLANCE

NSA Leaks Bring Domestic Spying to Light (June 14, 2013)

The fallout from the U.S. National Security Agency’s (NSA) surveillance programs has Canadian officials, including Privacy Commissioner Jennifer Stoddart, looking at the Canadian government’s surveillance of phone and Internet records. This roundup looks at Canada’s response to the NSA programs, a project by a group of University of Victoria researchers and the similarities and differences between the laws governing the U.S. and Canada with respect to government surveillance.
Full Story

DATA LOSS

Treasury May Soon Report Every Breach (June 14, 2013)

Postmedia News reports on a policy change that could come into effect this fall requiring Treasury Board employees to report every data breach to the Office of the Privacy Commissioner. Scott Hutchison, a spokesman for Privacy Commissioner Jennifer Stoddart, said the Treasury Board’s president raised the mandatory reporting policy during a meeting in May. “On the surface it could be a step in the right direction, but while this was mentioned in the meeting between our commissioner and the president of Treasury Board, our office would appreciate…a discussion on the potential benefits and risks of making privacy breach notification mandatory through policy,” Hutchison said.
Full Story

INFORMATION ACCESS

Alberta Reviewing FOI Act, Looking for Comments (June 14, 2013)

Edmonton Journal reports the Alberta government is seeking comment on the Freedom of Information Act through July 31. “We’re going to be reviewing every aspect of the act,” says Don Scott, associate minister of accountability, transparency and transformation. There is no time limit for the government to produce a report based on the feedback, and some opponents question the motives behind the initiative. Liberal MLA Laurie Blakeman says this duplicates work done in 2010 by the all-party standing committee on health, noting that none of the 24 recommendations made then have been implemented.
Full Story

PRIVACY IN POPULAR CULTURE

IAPP Members in the News (June 13, 2013)

If nothing else, the news that has been rippling around the globe about the U.S. government’s surveillance practices has brought privacy to the forefront of public discourse. Therefore, it shouldn’t be surprising that our IAPP members are showing up all over the media in recent days. The Privacy Advisor takes you on a quick tour of IAPPers in the mass media.
Full Story

DATA LOSS

Breach Stats and Implications: A Roundup (June 12, 2013)

From loss of patient data to the potential impact of the recent NSA/PRISM revelations on psychiatric patients to how the legislation affects data breach costs, breaches and their implications are making headlines across the globe. This roundup for The Privacy Advisor highlights some of the latest news, including BankInfoSecurity’s report on Symantec’s Cost of a Data Breach Study, conducted by the Ponemon Institute, which indicates the average cost of a data breach has gone up from $130 per record in 2011 to $136 per record.
Full Story

HEALTHCARE PRIVACY—CANADA & U.S.

Hospital Chain To Settle Suit for $275K (June 12, 2013)

Canadian hospital chain Prime Healthcare has agreed to settle for $275,000 a U.S. federal investigation into alleged privacy violations. Los Angeles Times reports that Prime’s Shasta Regional Medical Center was accused of violating patient confidentiality by sharing a patient's medical records with journalists and e-mailing her treatment details to almost 800 hospital employees. While the company agreed to the settlement, it admitted no wrongdoing and claims it “would have prevailed in this matter based upon the merits.” California regulators fined Prime $95,000 for this breach last year, but the company says it plans to appeal that fine.
Full Story

BIOMETRICS

Google Outlaws Facial Recognition, Voiceprints for Google Glass (June 11, 2013)

Google has decided to ban facial-recognition technology from its Google Glass product, following pressure from the U.S. Congress. It has also banned voiceprints, which would allow the microphone to identify a speaker. App developers—including Lance Nanek, who built an app that would allow clinicians wearing the glasses to verify patient identities and pull their medical records without having to turn to a secondary device—are disappointed in the decision. The company says it will not allow such applications until “strong privacy protections” are in place, but the Future of Privacy Forum wonders “what sort of privacy protections can actually be put in place for this sort of technology?”
Full Story

DATA PROTECTION

Stoddart’s Report Calls Out Breaches, Calls for Change (June 7, 2013)

Using real life examples of data breaches, Privacy Commissioner Jennifer Stoddart highlighted in her final report the ways current law protecting personal information needs revision, The Globe and Mail reports. Stoddart called attention to the fact that often the “improved privacy practices among businesses” that she’s seen in her tenure have been the direct result of “long investigative and follow-up processes, and therefore at significant costs,” adding, “Canadians would be better served by a law that motivates organizations to put privacy considerations up front, rather than the current situation where we’re left to trigger a mop-up after privacy is violated.” Editor’s Note: Stoddart delivered a keynote address on PIPEDA reform at the IAPP Canada Privacy Symposium in May.
Full Story

INFORMATION ACCESS

Cavoukian Speaking Out on “Oral Government” (June 7, 2013)

According to the BC Freedom of Information and Privacy Association (FIPA), Ontario Information and Privacy Commissioner Ann Cavoukian has issued a report calling for a required “duty to document,” stating that there is a “culture of avoiding the creation of written documentation” growing in government. Cavoukian’s report backs up a similar report from BC Commissioner Elizabeth Denham issued earlier in the year. FIPA’s Executive Director Vincent Gogolek said, “If we have any hope of holding government to account, public officials must be required to make and keep records of what they are doing.” Cavoukian has given the Ontario government a September deadline for a report on its progress.
Full Story

MOBILE PRIVACY

Opera Releases Mobile Browser With Privacy Built-In (June 6, 2013)

The Norwegian browser developer Opera announced this week the release of Opera Mini 4.5, a low-end mobile browser intended for “featurephones.” Notably, it has a built-in private setting that keeps any login or data from being saved to the phone. For example, friends can log in and check Facebook without worries their log-in information will be retained.
Full Story

GENETIC PRIVACY

Privacy Is Major Hurdle for Research Group (June 6, 2013)

A group of geneticists have established a consortium aimed at creating database of genetic and clinical data that could be accessed by doctors and researchers across the globe, reports The New York Times. Experts from the consortium say the major challenge is a lack of standards for storing and sharing data and for assuring that patients consent to this sharing of their data. “The question is whether and how we make it possible to learn from these data as they grow, in a manner that respects the autonomy and privacy choices of each participant,” said David Altshuler of Harvard and MIT. The group consists of more than 70 medical, research and advocacy organizations active in 41 countries. (Registration may be required to access this story.)
Full Story

DATA PROTECTION

Study: Avg. Breach Cost Is $136 Per Record (June 5, 2013)

Ponemon Institute and Symantec have released a study indicating human errors and system problems were the causes of two-thirds of data breaches in 2012, and the average breach cost is now up to $136 per record, The Wall Street Journal reports. The issues involved included “employee mishandling of confidential data, lack of systems controls and violations of industry and government regulations,” the report states. The study also found financial services incidents to be the most costly. (Registration may be required to access this story.)
Full Story

PRIVACY BIZ

Evidon To Acquire MobileScope (June 5, 2013)

MediaPost News reports on privacy-compliance company Evidon’s acquisition of MobileScope, a tool used to determine mobile apps’ collection or sharing of information about users. The deal, expected to be finalized today, will see Evidon incorporating MobileScope into a subscription-based offering that allows companies to view what data is being mined from their services for the purposes of ad targeting.
Full Story

PRIVACY ENGINEERING

What Misconceptions Do Consumers Have About Privacy? (June 4, 2013)
“Control of personal information in the digital space, and particularly on mobile devices, presents a unique design challenge,” writes Create with Context CEO Ilana Westerman in this Privacy Perspectives post. “We can leverage existing technology to create new experiences around personal data collection that are both transparent and provide control,” she notes, “But before we can begin to think about design solutions, we need to understand consumers’ current experience and expectations of how their personal information is handled and safeguarded.”

SURVEILLANCE

UN Report: State Surveillance Violates Rights to Privacy, Expression (June 4, 2013)

The United Nations (UN) Office of the High Commissioner of Human Rights drew attention today to its recent report indicating state communications surveillance undermines the human rights to privacy and freedom of expression. “Concerns about national security and criminal activity may justify the exceptional use of communications surveillance,” said UN Special Rapporteur Frank La Rue. “Nevertheless, national laws regulating what constitutes the necessary, legitimate and proportional state involvement in communications surveillance are often inadequate or simply do not exist…Who are the authorities mandated to promote the surveillance of individuals? What is the final destiny of the massive amounts of the stored information on our communications? These questions urgently need to be studied in all countries to ensure a better protection of the rights to privacy and the right to freedom of expression.”
Full Story

ONLINE PRIVACY

Yahoo E-Mail Scans Not New Practice (June 4, 2013)

CNET reports that news Yahoo users will have their e-mail scanned so relevant ads may be sent to them isn’t actually news at all; the service provider has been doing so since 2011. "This is not about a new policy," said Yahoo spokeswoman DJ Anderson. "We believe having personalized experiences benefits the user. If the user doesn't want to have contextual-based or interest-based advertising, they can opt out of that through our ad interest manager." Users may have simply become aware of the change when Yahoo recently informed users they will be required to upgrade to a newer version of Yahoo mail, which would require them to accept Yahoo’s terms of service and privacy policy.
Full Story