Monday, April 14, 2014

Sensitive mental health info goes into police databases, shared with US government

The Information and Privacy Commissioner has released her investigation report to allegations that Ontario police are routinely inputting sensitive mental health information into national police databases, which are not only accessible to all Canadian police departments, but also the US Federal Bureau of Investigation and Department of Homeland Security.

You can get the full report here: IPC - Office of the Information and Privacy Commissioner/Ontario | Commissioner Cavoukian calls for Ontario Police Services to stop the indiscriminate disclosure of attempted suicide information.

This indiscriminate disclosure of information is not in compliance with Ontario's privacy laws, she concluded.

Tuesday, April 08, 2014

Updates to Canadian federal privacy law tabled in the Senate

As expected, the government has tabled amendments to the Personal Information Protection and Electronic Documents Act, but this time in the Senate as Senate Government Bill - S-4.

The highlights are breach notification and an exception to the consent rule for business transactions. I'll have more to say once I've given it a thorough going-over. Watch this space.

The Bill is sometimes hard to follow with the amendments out of place and out of context. So, for your handy reference, here is a redline of PIPEDA with the first reading amendments from Bill S-4 in place.

Friday, April 04, 2014

PIPEDA amendments coming next week to a Parliament near you

In a speech at the Digital Canada 150 Launch, Industry Minister James Moore hinted very strongly that amendments to Canada's private sector privacy law is just around the corner. From his speaking notes:

Digital Canada 150 Launch - Canada News Centre

Digital Canada 150 will protect Canadians online.

As we encourage even more individuals and businesses to get online, Canadians need to have confidence that their online transactions are secure, their privacy is protected and their families are safe from cyberbullying and other online threats.

So what's new?

  • Next week I will table new legislation in Parliament to strengthen our laws to better protect the online privacy of Canadians.
  • New cyberbullying legislation will protect our families from invasion of privacy, intimidation and personal abuse.
  • We will make sure the communications networks and devices that connect Canadians will be secure from threats, protecting the privacy of families, business and governments.
  • The anti-spam laws coming into force on July 1 this year will protect Canadians from malicious online attacks.

Watch this space ...

Thursday, April 03, 2014

No expecation of privacy at a nude beach, Ontario judge finds

The latest edition of the Canadian IT Law Association Newsletter (full disclosure: I'm a contributor, but didn't write this piece) has a very good summary of a recent case from Ontario (R v Lebenfish, 2014 ONCJ 130) that held, among other things, that a person at a nude beach has no expectation of privacy. (See: Nude Beach Photography is not “Voyeurism” - Canadian IT Law Association - l’Association canadienne du droit des technologies de l’information). In this case, the accused was charged with voyeurism under the Criminal Code after he overtly took photographs of people at a clothing optional beach. The accused was found not guilty because he was acting overtly (and not surreptitiously, as the Code requires) and because the complainant did not have a reasonable expectation of privacy.

In particular, the offence required that the accused be acting “surreptitiously” and that he infringe upon the complainant’s reasonable expectation of privacy, and the trial judge found that neither of these requirements were met. Although MW was not aware that her photograph was being taken, the accused was making no attempt to conceal his activities, his camera was not concealed or disguised, the presence of the stroller attracted rather than deflected attention, and the accused’s testimony that he was indifferent to whether other people saw him take photographs was not only uncontradicted but consistent with the facts. Further, although MW testified that she subjectively expected privacy, and although she was annoyed by the accused’s behavior in taking her photograph without permission, her expectation of privacy was not a reasonable one. The beach was a public one which was a clothing-optional one, there were no signs forbidding cameras or the taking of photographs, no City policy addressed the taking of photographs, and indeed many other people at the beach in addition to the accused were taking photographs on that day (including, ironically, MW herself at the time she was being photographed). Although there might have been some evidence that the accused’s behavior was a breach of etiquette and disappointing to some people, this was not the equivalent of a reasonable expectation of privacy. Accordingly the elements of the voyeurism offence were not made out, and for similar reasons the accused was also not guilty of mischief.

U.S. (correctly) identifies some Canadian privacy laws as trade barriers

The United States Trade Representative has released its latest Report on Foreign Trade Barriers [PDF] which specifically identifies certain Canadian provincial privacy laws as non-tariff trade barriers. It points to the public sector privacy laws in British Columbia and Nova Scotia and singles out Canadian federal government procurement of cloud services:

Cross-Border Data Flows

The strong growth of cross-border data flows resulting from widespread adoption of broadband-based services in Canada and the United States has refocused attention on the restrictive effects of privacy rules in two Canadian provinces, British Columbia, and Nova Scotia. These provinces mandate that personal information in the custody of a public body must be stored and accessed only in Canada unless one of a few limited exceptions applies. These laws prevent public bodies such as primary and secondary schools, universities, hospitals, government-owned utilities, and public agencies from using U.S. services when personal information could be accessed from or stored in the United States.

The Canadian federal government is consolidating information technology services across 63 email systems under a single platform. The request for proposals for this project includes a national security exemption which prohibits the contracted company from allowing data to go outside of Canada. This policy precludes some new technologies such as “cloud” computing providers from participating in the procurement process. The public sector represents approximately one-third of the Canadian economy, and is a major consumer of U.S. services. In today’s information-based economy, particularly where a broad range of services are moving to “cloud” based delivery where U.S. firms are market leaders; this law hinders U.S. exports of a wide array of products and services.

This has prompted Daniel Tencer to write in the Huffington Post that "U.S. Pushes Canada To Loosen Privacy Laws". These laws were designed to thwart the USA Patriot Act by requiring public bodies in those jurisdictions to only allow personal information to be stored in Canada and only accessed from within Canada.

As a practitioner of privacy law who has to deal with these statutes on a regular basis, I tend to agree and think the fine citizens of Nova Scotia and British Columbia would be better off without them. I have seen, on many occasions, government functionaries simply say "no" to non-Canadian vendors because of privacy risks they do not understand, denying their citizens access to leading-edge, cost saving technology. It is much simpler and easier to say "no"

The BC law came into being as a result of a public sector trade union objecting to the possible outsourcing of medicare claims processing to the Canadian subsidiary of a US corporation. When the union realized it would not get public support for their jobs, they might be able to create a spectre of the US government getting their mitts on sensitive information under the Patriot Act. The result was the BC legislation. (Ironically, the outsourcing still took place after a very convoluted corporate structure was put in place.)

Similarly, a back-bench NDP politician stood up in the legislature and raised the exact same spectre. A short while later, Nova Scotia passed the Personal Information International Disclosure Protection Act. While the Nova Scotia law is much more flexible than the B.C. statute, both are a ham-fisted response to a really nuanced issue. Instead of asking the question about the real risk to data, the default answer is always "no" when a non-Canadian vendor puts forward a cloud computing solution to a government agency.

If these laws were designed to prevent non-Canadian vendors from getting a piece of government business, they've done that quite well. But they do not actually accomplish the objective of keeping personal information out of the hands of U.S. authorities under all circumstances. To begin with, if the Americans want data that's in Canada, they are likely to get it. Canada, the United States and most western democracies engage in a very high level of cooperation that includes mutual legal assistance treaties and ad hoc information sharing. If US agencies are interested in an individual who has ties to Canada, the Federal Bureau of Investigation can make a formal request of the Royal Canadian Mounted Police or CSIS to obtain the relevant information on their behalf. (Most Canadian privacy laws actually permit this sort of information sharing under treaties or informal arrangements.) And if you are concerned about covert access to this sort of data, American laws do not prohibit federal agencies from infiltrating computers and networks outside of the United States. Some have suggested that information is safer from U.S. authorities in the U.S. because of this.

In addition, any person or corporation with sufficient ties to the United States can be compelled to hand over data regardless of where it is. This can include fully Canadian corporations with assets in the U.S. This can also take place if handing over the data would violate Canadian laws. The Huffington Post article refers to the Canadian federal government's decision to give a massive cloud "shared services" contract to Bell Canada when U.S. vendors were disqualified from even submitting a proposal. Does this make the data "safe" from the Americans? Not really, since the parent company of Bell Canada is publicly traded on the New York stock exchange. They simply can't ignore a U.S. court order.

So what's the solution to this "problem"? It would be the policy that the federal government purports to have, but does not seem to have followed in the shared services contracting. That is to do a full privacy impact assessment in all cases which fully evaluates all of the risks to privacy associated with the project, including what risks that cross-border data flows might introduce. And when I saw all the risks, I mean with a fully-informed understanding of the circumstances under which non-Canadian governments might get their hands on the data. In some cases, the risk introduced by crossing the border may be unpalatable, but at least it is an informed decision.

The current practice of simply saying no to non-Canadian vendors is a non-tariff trade barrier.

Tuesday, April 01, 2014

Charmaine Borg MP introduces private members bill to add breach notification to the federal Privacy Act

Charmaine Borg, the NDP's digital issues critic and the most activist MP in the area of privacy has tabled Bill C-580 to update the federal Privacy Act to require breach notification and a mandatory 5-year review of the Act. More info here: LEGISinfo - Private Member’s Bill C-580 (41-2).

In the wake of so many privacy breaches by federal government departments, I can get onboard with this.

Friday, March 28, 2014

Cloud Computing FAQ for Corporate Counsel

The Canadian Corporate Counsel Association Magazine (CCCA Magazine) Spring 2014 edition had a strong focus on privacy, "Managing your Privacy Risk: An In-house Guide." The edition included a version of my Cloud Computing and Privacy FAQ, focused at in-house counsel. Click the image (or here) to get the full article:

A hint at the extent of warrantless access to customer data in Canada

Earlier this week, the Halifax Chronicle Herald published a story about information that has come to light about the extent to which law enforcement agencies are seeking -- and getting -- access to private information without a warrant. (See Ottawa has been spying on you | The Chronicle Herald)

MP Charmaine Borg tabled a question in Parliament looking for particulars about how often government agencies look for and get information about customers of telecommunications services. Perhaps not surprisingly, CSIS and CSE refused to answer. The RCMP refused to provide information, saying it does not track this information. The full document is available here [PDF].

What is most interesting about the document is the extent that the Canadian Border Services Agency, the organization that polices Canada's borders, asked for and received telco customer information without a warrant. It happened over 18,000 times and telcos refused only a handful of times, mainly if they didn't have the information requested.

If I had been asked which government agencies seek warrantless access to customer data, I would have put CBSA pretty low on the list and would think they would represent a drop in the bucket. If that's the case, and the "drop in the bucket" is 18,000 requests, we must be looking at a VERY LARGE bucket.

What's also troubling is that unless charges are laid, nobody ever finds out that their information has been obtained by law enforcement. And, in fact, there's a gag order that would prevent you from getting that information from your telco. I highly doubt that CBSA laid 18,000 charges last year, so there are thousands of Canadians whose information has been accessed and they will never know about it.

Not surprisingly, some of the best analysis of this comes from Chris Parsons, a post-doctoral fellow at the CitizenLab at the University of Toronto. Read his full discussion of this here: Mapping the Canadian Government’s Telecommunications Surveillance.

In the media, this story was first reported in the Chronicle Herald by Paul McLeod:

Ottawa has been spying on you


Published March 25, 2014 - 8:19pm

Last Updated March 25, 2014 - 8:54pm

Telecom firms handing over data without warrants

Telecommunications companies gave individual customer data to the Canada Border Services Agency over 18,000 times in one year.

This information includes the content of voice mails and text messages, websites visited and the rough location of where a cellphone call was made, according to government data.

For cases involving those types of requests, Canada Border Services sought a warrant for the information. But in the vast majority of releases, the agency asked for and received basic subscriber information without obtaining a warrant.

From April 2012 through March 2013, the agency asked telecoms for information 18,849 times. Of those, 99 per cent were for subscriber information that did not involve a warrant.

Telecoms handed over the data in all but 25 cases.

“I find that shocking,” said privacy expert David Fraser, a lawyer with McInnes Cooper in Halifax.

“If you cannot convince a judge or a justice of the peace or a magistrate that you are entitled to that information, then you should not be getting that information.”

Documents show Canada Border Services appears to have an agreement with telecoms wherein basic subscriber information is handed over without the need for a warrant.

According to the agency, this type of information includes “identity and address details provided to the (service provider) when the cellular account was created.”

This includes the name and address of a cellphone user, when the individual activated their phone, their account number and what kind of payment plan is used (such as if their device is prepaid or postpaid).

Canada Border Services requested this information 18,729 times during that fiscal year.

Other information requested included text message content (77 times), voice mails (10 times), geolocation requests (63 times), websites visited or IP addresses (78 times), transmission data (113 times) and cellphone logs (128 times).

The agency says information from telecoms is key to modern crime investigations.

Its parent department, Public Safety Canada, says that when agencies ask for information, “they do so in full respect of

Canadian laws, which are some of the strongest in the world at protecting privacy.”

Public Safety says that while most information requires a warrant to obtain it, information such as a customer’s name and address carries “a lower expectation of privacy and, as such, may be requested (without a warrant) according to Canadian law.”

Subscribers are not normally notified if their information has been handed over to authorities.

Fraser, who authors a blog on Canadian privacy laws, said this arrangement violates citizens’ basic rights to privacy.

He said Canadians already rejected this kind of intrusion in the debate around Bill C-30, the government’s Internet surveillance bill. The Conservatives introduced but then killed the bill due to public backlash.

“We had all of that outrage because that piece of legislation would have legitimized this practice,” said Fraser.

“Even without that legislative cover, we have CBSA looking for this information, but even more outrageously getting it from telecommunications companies.”

Of the 25 times telecoms rejected information requests, some denials were due to phones no longer being active or a customer changing service providers.

The information given to Canada Border Services is kept for up to two years unless it is involved in criminal charges. In those cases, information is kept for up to seven years.

The RCMP, the Canadian Security Intelligence Service and Communications Security Establishment Canada were all asked by Parliament, via a member’s question, to provide the same details about such requests.

They all refused for different reasons.

The RCMP said it does not track how often it asks telecoms for information.

Communications Security Establishment Canada, in charge of foreign intelligence and securing Canadian government electronic information, said providing the information would reveal Canada’s intelligence capabilities. The body is prohibited from spying on Canadians.

The Canadian Security Intelligence Service, a spy agency that investigates suspected threats to Canadian security, admitted it may ask telecoms to provide “subscriber information and access to the content of communications.”

But CSIS said it is not allowed to provide such information because it would be a breach of national security.

I was also interviewed about this for Radio Canada International: Canadian’s private telecom information, not so private.

Tuesday, March 25, 2014

Interim Privacy Commissioner of Canada releases report on HRSDC/Student Loan privacy breach

The Interim Privacy Commissioner of Canada has today tabled in Parliament the report of her investigation into the loss of a portable hard drive that contained personal information more than half a million student loan recipients by Human Resources and Skills Development Canada. (Previous posts can be found here.)

Here's her media release:

News Release: Investigation into hard drive loss highlights important lessons for all organizations to follow - March 25, 2014

Investigation into hard drive loss highlights important lessons for all organizations to follow

OTTAWA, March 25, 2014 - The disappearance of a portable hard drive containing the personal information of 583,000 student loan recipients underscores the need to ensure that formal privacy and security policies are more than simply words on paper, an investigation has found.

The investigation by the Office of the Privacy Commissioner of Canada was launched after the hard drive was reported lost by Employment and Social Development Canada (ESDC), formerly Human Resources and Skills Development Canada.

An investigation report tabled in Parliament today details how the hard drive was left unsecured for extended periods of time; not password protected; and held personal information that was unencrypted. As well, employees handling the device were not aware of the sensitivity of the information stored on the device.

The report concludes that a gap between policies and practices at ESDC led to weaknesses in information management controls, physical security controls, and most importantly, the level of employee awareness of departmental policies and procedures.

“This incident should serve as a lesson for all organizations,” says Interim Privacy Commissioner Chantal Bernier. “Protecting personal information cannot be ensured by having policies on paper. Policies must be put into practice each and every day and monitored regularly.”

“We are pleased that ESDC has accepted all of our recommendations and has started taking the necessary steps to implement them. We hope this investigation will prompt other federal departments and private-sector organizations to review their own privacy policies and practices.”

The Office launched the investigation in January 2013 after ESDC reported that a portable hard drive containing a substantial amount of personal information had been missing for two months.

Despite extensive search efforts, the Department was unable to locate it or determine whether human error or malicious intent was responsible.

Staff of ESDC’s Canada Student Loans Program had used the department-owned, 1 terabyte hard drive to make a backup copy of program information stored in the central computer to ensure its preservation when that data was being transferred between networked drives.

The hard drive contained the Social Insurance Number, name, date of birth, home address, telephone number, loan amounts and balances for 583,000 clients of the loans program. It also included gender, language and marital status for some.

Because of failures in departmental practices, ESDC could not conclusively identify what information was on the portable hard drive or when it had been last updated.

Nonetheless, ESDC says that no evidence has yet emerged that the personal information potentially stored on the hard drive has been accessed or used for fraudulent purposes.

The investigation found that ESDC employees had contravened sections of the Privacy Act — Canada’s federal public sector privacy law — related to the use, disposal and disclosure of personal information.

ESDC has accepted all 10 of the Commissioner’s recommendations and has already made significant steps in implementing some, including:

  • Severely restricting the use of portable storage devices and introducing system software which blocks the use of any such devices on desktop computers without specific authorization;
  • Periodically examining portable storage devices to ensure they are being used solely for the authorized reasons;
  • Reviewing all materiel holdings, disposing of transitory records and classifying remaining records at the appropriate security level; and
  • Instigating a new integrated learning strategy which focuses on the protection of personal privacy and includes mandatory participation for all employees and mandatory testing every two years.

The Office of the Privacy Commissioner of Canada will follow up in one year to confirm ESDC’s progress in implementing the recommendations.

“To effectively mitigate privacy risks, there must be a synergy between privacy and security controls. Implementation of such controls will help ESDC — and all organizations — to properly protect the personal information that Canadians entrust to them,” says Interim Commissioner Bernier. “To further address broader systemic issues, we are conducting an audit of the use of portable storage devices by selected federal organizations, and we have just released some new tips for organizations on this issue.”

About the Office of the Privacy Commissioner of Canada

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two federal laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to organizations engaged in commercial activities in the Atlantic provinces, Ontario, Manitoba, Saskatchewan and the Territories. Quebec, Alberta and British Columbia each has its own law covering the private sector. Even in these provinces, PIPEDA continues to apply to the federally regulated private sector and to personal information in interprovincial and international transactions.

See also:

Wednesday, March 19, 2014

Ann Cavoukian, Ontario's Information and Privacy Commissioner, to lead Ryerson University institute at the conclusion of her third term

Ontario's well-regarded Information and Privacy Commissioner, Ann Cavoukian, is stepping down at the conclusion of her unprecedented third term, but is then stepping across town to take a prestigious new position at Ryerson University as the Executive Director of the Ryerson University Institute for Privacy and Big Data.

From the media release:

Office of the Information and Privacy Commissioner/Ontario | Ontario Information and Privacy Commissioner, Dr. Ann Cavoukian, appointed Executive Director of the Ryerson University Institute for Privacy and Big Data

TORONTO, March 19, 2014 /CNW/ - Ryerson University today announced the appointment of Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, as the Executive Director of the new Ryerson University Institute for Privacy and Big Data. Currently a distinguished visiting professor at Ryerson, Dr. Cavoukian's appointment will take effect at the conclusion of her unprecedented third term as Commissioner, on July 1, 2014.

"It has been an honour to serve as the Information and Privacy Commissioner for the past three terms, spanning over 15 years. Together with my hardworking and devoted staff, we have built a world-class agency, renowned for our innovation and leadership in access and privacy. We are grateful for the support of the many Ontarians who have shared with us their appreciation for the work we do and the impact we have had," says Dr. Cavoukian. "Having advised the Legislature that I would not be considering a fourth term as Commissioner (three is more than enough!), I am delighted to be able to pursue my passion for preserving privacy, well into the future, with such a progressive university as Ryerson."

Big Data - the acquisition, storage, processing, analysis and use of large data sets - has the potential to enable innovations and facilitate critical social interests with impacts felt at every level, from invaluable discoveries in health research, to mapping of human behaviour in the digital world, to management of natural resources. Ryerson's cross university Big Data Initiative (BDI) focuses on developing new tools and applying those tools to advance organizational performance across sectors. BDI brings together existing centres that collaborate with industry partners to drive the development of new Big Data based products and services, including Ryerson's Centre for the Study of Commercial Activity, Ryerson's Centre for Cloud and Context Aware Computing, and the Data Science Laboratory. The new Institute for Privacy and Big Data will help ensure privacy is considered at every stage of the process.

"The Institute for Privacy and Big Data will bring together experts from both within the university and beyond, to develop new ways to protect and promote people's privacy in the digital age," says Mohamed Lachemi, provost and vice president academic. "I would like to welcome world renowned privacy expert Dr. Cavoukian to Ryerson to lead this new initiative. I know her knowledge and expertise will have immediate impact and be of immeasurable benefit to our students."

The new Institute for Privacy and Big Data, housed within Ryerson's Faculty of Science is an important component of the university's strategy, demonstrating how to harness the power of Big Data in ways that fully respects privacy. The Institute's main objectives include:

Promote the development of technologies that analyze data within an appropriate context and privacy-protective sphere, and applying those technologies in a positive-sum manner to the various sectors of Big Data in order to improve upon the value and utility of the associated analytics, all while strongly protecting the privacy of data-subjects.

Provide an educational platform to disseminate the techniques and procedures of privacy enhanced Big Data analytics through research programs.

Provide an incubation platform for start-up companies to utilize these technologies for new markets and applications, uniquely positioning them as Privacy by Design applications, delivering both privacy and Big Data analytics.

Ryerson's existing Privacy and Cyber Crime Institute (currently within the Ted Rogers School of Management) and the research conducted within it, including areas such as workplace privacy, data breaches, identity theft and online privacy, will become part of the new Institute under Dr. Cavoukian's leadership. The new Institute will serve as a hub for Ryerson students, faculty and staff engaged in data-driven training, discovery, innovation and commercialization.

Dr. Cavoukian will take the helm of the new Ryerson Institute for Privacy and Big Data effective July 1, with an official launch to follow in the 2014-15 academic year.

About Dr. Ann Cavoukian

Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, is recognized as one of the leading privacy experts in the world. An avowed believer in the role that technology can play in protecting privacy, her ground-breaking 1995 paper with the Netherlands, on advancing privacy protection through the pursuit of privacy-enhancing technologies (PETs), is now part of the industry lexicon. Dr. Cavoukian is best known as the creator of Privacy by Design, which was unanimously approved as an international standard for privacy protection by the International Assembly of Privacy Commissioners and Data Protection Authorities at their annual conference in 2010 in Jerusalem. Since then, Privacy by Design has grown exponentially, having been operationalized in nine application areas and translated into 35 languages.

About Ryerson University

Ryerson University is Canada's leader in innovative, career-oriented education and a university clearly on the move. With a mission to serve societal need, and a long-standing commitment to engaging its community, Ryerson offers more than 100 undergraduate and graduate programs. Distinctly urban, culturally diverse and inclusive, the university is home to more than 38,000 students, including 2,300 master's and PhD students, nearly 2,700 faculty and staff, and more than 155,000 alumni worldwide. Research at Ryerson is on a trajectory of success and growth: externally funded research has doubled in the past four years. The G. Raymond Chang School of Continuing Education is Canada's leading provider of university-based adult education. For more information, visit