Sunday, October 31, 2004

Release: President of the Treasury Board responds to BC cross-border privacy report

The following was released by the President of the Treasury Board, Reg Alcock, on Friday, October 29, 2004:

Statement by Reg Alcock, President of the Treasury Board, in response to the report issued by the Information and Privacy Commissioner for British Columbia:

"For immediate release
October 29, 2004

Ottawa - Reg Alcock, President of the Treasury Board issued the following statement today in response to the report issued by the Information and Privacy Commissioner for British Columbia on Privacy and the USA Patriot Act:

"The Government of Canada is currently reviewing the report released today by the Information and Privacy Commissioner for British Columbia on Privacy and the USA Patriot Act. We are committed to doing everything we can to protect the privacy of Canadians with respect to key federal personal and sensitive information holdings. The Government will continue to work closely with the federal Privacy Commissioner, provincial governments and the private sector to protect the security and privacy of Canadians and the interests of Canadian businesses.

We are also calling on Canadian businesses to continue to respect the privacy rights of Canadians with regards to information the private sector possesses on individual Canadians, as legislated under the Personal Information Protection and Electronic Documents Act.

The actions taken by the Government in response to potential privacy and contracting risks posed by the USA Patriot Act include: a review by Government departments of their outsourcing arrangements to determine if action is needed; continuing the review of federal privacy laws and policies; and cooperating with the OPC on the planned audit in 2004-2005 of the transfer of personal information between Canada and the United States".

Release: Federal Privacy Commissioner calls for further examination of transfer of personal information about Canadians across borders

Jennifer Stoddard, the Privacy Commissioner of Canada, ended last week with a statement following the publication of the BC Commissioner's report on cross-border privacy issues:

News Release: Privacy Commissioner calls for further examination of transfer of personal information about Canadians across borders - August 18, 2004: "Striking a balance between the protection of privacy and the promotion of national security is one of the single most important issues facing our society today ," said Ms. Stoddart. "This is an issue to be addressed by all jurisdictions across Canada and our Office looks forward to working with the federal government and the BC Information and Privacy Commissioner to address recommendations in the report."

Saturday, October 30, 2004

For those in the loop, RFID is a privacy concern

Government Technology is reporting a recent survey that has determined that, among those who are aware of RFID, 63% of those polled are concerned about the privacy issues related to the emerging technology. The surveyed consumers said that government, followed by "crooks and bad guys," banks, insurance companies and credit card companies are the most likely to abuse their privacy without their knowledge and consent.

Study Detailing RFID Privacy Concerns Released:

"....Consumers express being more concerned with privacy issues today than ever before. And with many forms becoming electronic, they are cautious about divulging personal information and are taking active steps to protect themselves such as checking to make sure websites are secure before submitting information and shredding paper and mail received unsolicited at home. Many believe their personal information is easily obtained by companies through magazine subscriptions and frequent-buyer programs implemented by grocery stores and airlines.

Although consumers recognize the "perks" of being rewarded for loyal shopping behavior, they are also concerned that their information is not protected and will be shared without their permission. "Almost everyone knows somebody lately who has had a bad experience with privacy invasion, credit card abuse or identify theft," said Linda Stegeman, president of Artafact. "In online focus groups, they recount stories of friends or families who have been affected by institutions or crooks and bad guys getting access to their personal information."

Only 35% of consumers concerned about protecting their personal information believe that RFID (Radio Frequency Identification) is a "good idea." However, they also recognize the business benefits of easily tracking merchandise and preventing theft. Many consumers think they will not reap any benefit from RFID technology and are concerned with the potential for misuse, given the "lack of safeguards."

Data protection watchdog distributes email mailing list (The Register)

It is staggeringly easy to accidentally send an e-mail to a large distribution list, placing the addresses in the "TO:" or the "CC:" field instead of the "BCC:" field. A number of incidents of this have led to significant consequences for the senders who have accidentally breached the privacy of the recipients. Recently, a customer loyaty program did this in Canada, resulting in a complaint to the federal Privacy Commissioner. (See PIPED Act Case Summary #277: Mass mailout results in disclosure of contest entrants e-mail addresses.) A large drug company did the same in the United States, leading to a significant penalty from the FTC. (See ACLU Knocks Eli Lilly for Divulging E-Mail Addresses: Site's prescription reminder reveals names of recipients.)

In a recent incident, slightly tinged with irony, the Dutch Data Protection Authority did the same thing:

Data protection watchdog distributes email mailing list | The Register:

"The Dutch Data Protection Authority (Dutch DPA), which supervises the compliance with acts that regulate the use of personal data, was rather red-faced this week when it sent out a newsletter with all of the recipients in the Cc: field instead of the Bcc: field.

DPA's news letter goes out to 4000 subscribers. The DPA, which supervises the compliance with the Dutch Personal Data Protection Act and the Dutch Municipal Database Personal Records Act, was lucky that 'only' a thousand subscribers received the letter, but it managed to make the mistake twice. In a message it apologised for sending the first letter, again putting all recipients to the Cc list, so a second apology had to be sent."

These happen so often that I think Outlook and other mail programs should have a function that asks if you are sure you want to send a message with more than five/ten/whatever recipients in the "CC:" field....

Friday, October 29, 2004

BC Information and Privacy Commissioner releases his report: Patriot Act contravenes BC privacy laws

The Information and Privacy Commissioner of BC has released his report into the impact of the USA PATRIOT Act on the privacy of British Columbians. His report is available here and a summary is available here.

See below for media coverage:

U.S. Patriot Act can eyeball private Canadian records, says B.C. report
Canadian Press via Yahoo! News Fri, 29 Oct 2004 11:10 AM PDT
VICTORIA (CP) - The USA Patriot Act has the power to eyeball private information about Canadians despite attempts by governments in Canada to thwart probes by American authorities, says a report released Friday by British Columbia's privacy commissioner.

Patriot Act contravenes B.C. privacy laws: report
CBC British Columbia Fri, 29 Oct 2004 11:06 AM PDT
VICTORIA - B.C Privacy Commissioner David Loukidelis says the U.S. Patriot Act violates provincial privacy laws – and he wants the province to temporarily ban the transfer of personal information to the U.S.

Canada Study Sees Risk in U.S. Anti-Terrorism Law
Reuters via Yahoo! News Fri, 29 Oct 2004 11:31 AM PDT
A key U.S. anti-terrorism law threatens the privacy of Canadians and rigorous steps are needed to protect private medical and financial information, a government study said on Friday.

Supreme Court of Canada considers different species of personal privacy

The Supreme Court of Canada has just released its decision in R. v. Tessling, 2004 SCC 67. The matter at issue was whether the use of infrared imaging from outside a home constituted unreasonable search and seizure under the Charter of Rights and Freedoms. I haven't had a chance to read it in detail, but here's the headnote:

Date: 2004-10-29
Docket: 29670
URL: http://www.canlii.org/ca/cas/scc/2004/2004scc67.html

Her Majesty The Queen
Appellant

v.

Walter Tessling
Respondent

and

Attorney General of Ontario, Attorney General of Quebec and Canadian Civil Liberties Association
Interveners

Neutral citation: 2004 SCC 67.
File No.: 29670.
2004: April 16; 2004: October 29.

Present: McLachlin C.J. and Iacobucci,* Major, Bastarache, Binnie, Arbour,* 1 LeBel, Deschamps and Fish JJ.

ON APPEAL FROM THE COURT OF APPEAL FOR ONTARIO

Constitutional law -- Charter of Rights -- Search and seizure -- Police using thermal imaging device to take 'heat' picture of accused's home from aircraft without warrant -- Whether warrantless use of thermal imaging device violated right against unreasonable search and seizure -- Canadian Charter of Rights and Freedoms, s. 8.

  The RCMP used an airplane equipped with a Forward Looking Infra-Red ("FLIR") camera to overfly properties owned by the accused. FLIR technology records images of thermal energy or heat radiating from a building. It cannot, at this stage of its development, determine the nature of the source of heat within the building or "see" through the external surfaces of a building. The RCMP were able to obtain a search warrant for the accused's home based on the results of the FLIR image coupled with information supplied by two informants. In the house, the RCMP found a large quantity of marijuana and several guns. The accused was charged with a variety of drug and weapons offences. At trial, he unsuccessfully argued that the FLIR overflight was a violation of his right to be free from unreasonable search and seizure guaranteed by s. 8 of the Canadian Charter of Rights and Freedoms, and was convicted. The Court of Appeal set aside the convictions. The court found that the use of FLIR technology constituted a search of the accused's home and, since it was done without a warrant, violated his s. 8 right. The court concluded that the evidence ought to have been excluded and the accused acquitted on all charges.

  Held: The appeal should be allowed. The FLIR overflight did not violate the accused's constitutional right to be free from unreasonable search and seizure.

  Few things are as important to our way of life as the amount of power allowed the police to invade the homes, privacy and even the bodily integrity of members of Canadian society without judicial authorization. Building upon the foundation laid by the common law, s. 8 of the Charter creates for "everyone" certain areas of personal autonomy where the state, including the police, cannot trespass. These areas we have now gathered up under the general heading of privacy. At the same time, social and economic life creates competing demands. The community wants privacy but it also insists on protection. Safety, security and the suppression of crime are legitimate countervailing concerns. Thus s. 8 of the Charter accepts the validity of reasonable searches and seizures.

  Privacy is a protean concept, and the difficult issue is where the "reasonableness" line should be drawn. The distinction between informational and territorial privacy is of assistance in the current factual situation. Whereas the Court of Appeal treated the FLIR imaging as equivalent to a search of the home, and thus "worthy of the state's highest respect", it is more accurately characterized as an external surveillance of the home to obtain information that may or may not be capable of giving rise to an inference about what was actually going on inside, depending on what other information is available to the police. FLIR is not equivalent to entry. Because of the emphasis on the informational aspect, the reasonableness line must be determined by focussing on the nature and quality of the information FLIR can actually deliver and then evaluating its impact on an accused's reasonable privacy interest.

  FLIR technology cannot, in its present state of development, permit any inferences about the precise activity giving rise to the heat. The accused had a privacy interest in the activities taking place in his home and it may be presumed that he had a subjective expectation of privacy in such activities to the extent they were the subject matter of the search. The fact that it was his home that was imaged using FLIR is an important factor, but it is not controlling and must be looked at in context and in particular, in this case, in relation to the nature and quality of the information made accessible to the police by FLIR technology. Everything shown in the FLIR photograph exists on the external surfaces of the building and, in that sense, FLIR records only information exposed to the public. Although the information about the distribution of the heat was not visible to the naked eye, the FLIR heat profile did not expose any intimate details of the accused's lifestyle or part of his core biographical data. It only showed that some of the activities in the house generate heat.

  Thus, when one considers the "totality of the circumstances", the use of FLIR technology did not intrude on the reasonable sphere of privacy of the accused. Patterns of heat distribution on the external surfaces of a house are not a type of information in which, objectively speaking, the accused had a reasonable expectation of privacy. The heat distribution information offered no insight into his private life and its disclosure scarcely affected his "dignity, integrity and autonomy".

  Technology must be evaluated according to its current capability, and its evolution in future dealt with step by step. Concerns should be addressed as they truly arise. FLIR technology at this stage of its development is both non-intrusive in its operations and mundane in the data it is capable of producing. The taking of a FLIR image therefore did not violate the respondent's reasonable expectation of privacy within the scope of s. 8 of the Charter.

With privacy, customer actions lag behind their words

GlobeTechnology is reporting on a study recenly conducted on the privacy attitudes and privacy-protecting actions of US consumers. It is eye-opening, but most who work in this area know that consumers regularly talk about privacy fears, but rarely act with their privacy interests in mind.

Security, but only if it's convenient: "

U.S. consumers may express fear of identity theft, but they continue to offer too much personal information over the telephone and the Internet, a survey says.

Consumers continue to repeat the mistakes that resulted in nearly 10 million identity theft victims in the United States last year as reported by the U.S. Federal Trade Commission.

The 2004 Identity Management Survey, commissioned by Texas-based Electronic Data Systems Corp. and the International Association of Privacy Professionals, based in Maine, found that consumers are not taking enough security precautions to protect themselves despite repeated warnings of identity theft.

According to the survey, more than 70 per cent of consumers are too ready to share information such as their names, addresses, postal codes, phone numbers, account numbers or give the answer to a security question to an unsolicited call or e-mail...."

Thursday, October 28, 2004

BC Privacy Commissioner to release report on USA PATRIOT Act and outsourcing of personal information management

According to a press-release on the BCGEU website, the Information and Privacy Commissioner of British Columbia will be releasing his long-awaited -- and delayed -- report on the impact of the USA PATRIOT Act on the privacy of British Columbians' personal information. The report will be released at 10:00 am (PST), to be followed by the reaction of the BCGEU. (See BCGEU: News conference to respond to privacy ......)

Announcement: Privacy and Anonymity Conference in Ottawa - March 2005

This just in....

The Concealed I: Anonymity, Identity and the Prospect of Privacy www.anonequity.org/concealedI

March 4-5, 2005 University of Ottawa, Faculty of Law Ottawa, Canada

* Do we have a right to speak anonymously? * Why do people claim to value privacy but act otherwise? * What are the constitutional implications of the compelled disclosure of identity? *What is the effect of imposing anonymity on women who enter the legal system as a result of sexual assault or other crimes of gendered violence? * Do we have the right to resist excessive surveillance?

These are some of the questions being investigated by a multidisciplinary team of researchers on a project entitled On the Identity Trail (www.anonequity.org). The team, along with faculty members from the Law and Technology Program at the University of Ottawa (www.commonlaw.uottawa.ca/tech), invites you to a two-day conference dedicated to investigating these and other privacy issues in our increasingly networked society.

Panel discussion topics include: * THE NATURE AND VALUE OF PRIVACY AND ANONYMITY * PUBLIC PERCEPTIONS OF PRIVACY * POLICY ISSUES FOR PRIVACY COMMISSIONERS * DEBATE ON THE COMPELLED DISCLOSURE OF IDENTITY * INVASIVE SURVEILLANCE TECHNOLOGIES * COMPARATIVE CONSTITUTIONAL ISSUES * PUBLIC SAFETY IN FREE AND DEMOCRATIC SOCIETY * PRIVACY ACTIVISM

The conference will begin on Day I with an introductory session investigating the nature and value of privacy and anonymity in an era of ubiquitous identification technologies. This will be followed by an investigation from a social science perspective on public perceptions of privacy and data flows. These two panels lay the ground for a very special policy lunch, hosted by Canada's federal and provincial privacy commissioners. In an unprecedented collaboration, the various participating privacy commissioners will present a cross-Canada "policy-scan", setting out the most pressing issues encountered by their offices and offering a range of viewpoints in response. The remainder of the afternoon on Day I will include a debate on compelling the disclosure of identity and a session on invasive identification and surveillance technologies.

Day II of the conference will begin with law and policy issues and will end with an investigation of some broader social dimensions of anonymity and identity. The day starts with a session investigating some of the crucial comparative constitutional questions, and is followed by a session that focuses more specifically on issues of race and gender. These sessions will be followed by another policy lunch featuring representatives of the law enforcement and security community debating the need for identification from the perspective of "public safety" in a free and democratic society. The remainder of the afternoon of Day II will focus on the broader public, including a session on social activism and the appropriateness of certain public responses to oppressive surveillance. We end the conference with a walking tour of the surveillance cameras in the Ottawa area and an artistic performance.

Invited Speakers:

Ken Anderson Assistant Commissioner (Privacy) Ofiice of the Information Privacy Commissioner of Ontario

Jacquelyn Burkell Professor, Faculty of Information and Media Studies, University of Western Ontario

Colin Bennett Professor, Political Science University of Victoria

Bill Brown New York Surveillance Camera Players

Paul De Hert Professor, Faculty of Law, Leiden University & Free University Brussels

Jane Doe Teacher, Lecturer and Arts and Culture Worker, Toronto

A. Michael Froomkin Professor, Faculty of Law, University of Miami

Oscar Gandy Professor, Annenberg School For Communication, University of Pennsylvania

Daphne Gilbert Professor, Faculty of Law, University of Ottawa

Declan McCullagh CNET

Ian Kerr Canada Research Chair in Ethics, Law & Technology, University of Ottawa

David Lyon Professor, Department of Sociology, Queen's University

Rafael Macedo Attorney General, Mexico

Steve Mann Professor, Department of Electrical and Computer Engineering, University of Toronto

Helen Nissenbaum Professor of Culture & Communication, Computer Science and Sr. Fellow in Law, NYU

G.T Marx Professor Emeritus, Department of Sociology, M.I.T

Stephanie Perrin Research Coordinator, On the Identity Trail Privacy Consultant and Advocate, Montreal, Canada

Jennifer Stoddart Privacy Commissioner of Canada

Marc Rotenberg Executive Director, Electronic Privacy Information Center; Adjunct Professor Georgetown Law

Alan Westin Professor Emeritus, Columbia University President, Privacy and American Business

Stay tuned for further announcements. For more information, visit: www.anonequity.org/concealedI or email: anonplan@uottawa.ca

Alberta Medical Association expresses concern about allowed disclosures under the province's Health Information Act

The Health Information Act of Alberta has recently come under the microscope as a result of a review of the legislation by a committee of the Alberta legislature (see Alberta legislature committee recommends changes to the Health Information Act (HIA)). The President of the AMA has expressed concerns about the many categories of non-treatment-related disclosures of personal health information that can be made without the knowledge and consent of the patient. See the recent article in the Medical Post (19 October 2004):

MedicalPost.com: AMA concerned law does not protect confidentiality:

"...

What the Health Information Act lacks is a fundamental commitment that, in non-direct-care situations, protecting patient privacy is more important than sharing information, Dr. Ballantine explained. The association believes that patient privacy should be regarded as more important than sharing information for non-direct-care purposes.

Patients expect that physicians and other providers will share their health information to provide direct care. Patients don't expect, though, that their information can be shared, without consent, for all of the non-direct-care purposes authorized by the act. That's where the problem lies, she stressed...."

PIPEDA Case Summary #281: Organization uses biometrics for authentication purposes

The Privacy Commissioner released a new finding yesterday (the finding itself is dated September 3, 2004), the first finding to address the mandatory use of biometrics in the workplace. In this case, the employer used voice-print technology for security and managing the employer-employee relationship. The Assistant Commissioner determined that the use of this technology was reasonable, and struck the appropriate balance for security purposes.

Commissioner's Findings - PIPEDA Case Summary #281: Organization uses biometrics for authentication purposes - September 3, 2004 - Privacy Commissioner of Canada:

"Several employees complained that their employer was forcing them to consent to the collection of biometric information, namely, their voice print, for the purpose of accessing a number of the company's business applications. These applications are used for logging work-related information, as well as for absence reporting. "

Opinion: Too much privacy?

Kerry Diotte, a columnist for the Edmonton Sun, has a piece about proposed amendments to the Alberta Health Information Act that were voted down by a legislature committee that was reviewing the Act. The proposal would have allowed hospitals to disclose health information without consent to police in certain circumstances:

Edmonton Sun Columnist: Kerry Diotte - Too much privacy?:

"....

In a submission to the committee studying changes to the act, then-acting deputy chief Mike Bradshaw summed up the cops' concerns.

'The [Edmonton Police Service]'s primary concern is that the (current act) prevents health-care providers from contacting or disclosing to police services information where it is reasonably suspected that a person attending the hospital has been involved in some form of criminal activity,' wrote Bradshaw.

That point hits home with Lukaszuk who welcomes the more common-sense approach of the new legislation.

'In my opinion, shifting the balance from complete protection of health information to a slight relaxation of such protection -and enhancing police ability to apprehend criminals - was a reasonable undertaking,' said Lukaszuk.

'After all, any law-abiding Albertan would not object to a police officer wanting to know whether he is in hospital or whether he has a bullet wound. It's likely only the criminal element that would object.' "

Cottage industry of ethical-legal (ie privacy) zealots impede research

An article in last week's Vancouver Sun reports on the opinions of a leading public health researcher that privacy zealots and their bureaucratic brethren are blocking valuable research:

Our privacy rules 'block health research: Important studies held back, scientist says

"Privacy and ethics rules in Canada are choking studies into everything from the hazards of cellphones to the ill-effects of living near busy, polluted roads, says a leading public health researcher...."

Article: Does Your Car Have a Spy in the Engine?

The New York Times is running, in the Auto section, an article on event data recorders that record the last few seconds before an airbag deployment. These are the so-called black boxes that are increasingly becoming useful in litigation and insurance claims. Some claim that it amounts to "big brother onbaord":

The New York Times > Automobiles > Does Your Car Have a Spy in the Engine?:

"AFTER Danny G. Hopkins's Cadillac CTS rear-ended Lindsay Kyle's Dodge Neon at a traffic light in Rochester a year ago, witnesses said Mr. Hopkins had been zooming down the road, and crash investigators who examined the condition and location of the wreckage estimated that Mr. Hopkins was traveling 65 to 70 miles an hour at the point of impact.

But in a trial that ended on Oct. 7, a witness emerged with more to say: that four seconds before the crash, it had been traveling 106 m.p.h."

Tuesday, October 26, 2004

Weird sociology assignment demands personal information; students object

Here's a weird, interesting privacy story ...

The Ticker - Students object to assignment, cite privacy concerns:

"Last week Baruch senior Adorian Lazar brought to the attention of the USG student objections to a controversial research paper that required them to divulge personal information, including whether they'd ever had an abortion or lived with someone while unmarried. The paper was a requirement for a Sociology 1005 class. The professor's name has been withheld...."

Ontario's new health privacy law, PHIPA, in the press

ITBusiness.ca, which is always at the forefront of covering privacy matters in Canada, is running an article with an overview of Ontario's new health privacy law, the Personal Health Information Protection Act (PHIPA):

ITBusiness.ca:

"Ontario prescribes privacy law for health-care sector

10/26/2004 5:00:00 PM - The province introduces specific rules around patient data and some heavy fines for those who don't comply. Learn about the 'lockbox' principle and how UHN and others are getting prepared..."

Alberta Commissioner welcomes substantially similar finding

Following the finding by the federal cabinet that the Personal Information Protection Act (Alberta) is "substantially similar to PIPEDA, the Alberta Information and Privacy Commissioner, Frank Work, has released the following statement:

Commissioner welcomes substantially similar finding:

"Edmonton, October 26, 2004

Commissioner Frank Work today welcomed news that Industry Canada has found Alberta's Personal Information Protection Act (PIPA) substantially similar to the Federal Personal Information Protection and Electronic Documents Act.

The substantially similar finding means the provincial law rather than the federal law governs the collection, use and disclosure of personal information by private sector organizations in Alberta. Personal information in the custody or control of private sector organizations as it relates to commercial transactions or activities will be subject to the Act. Personal employee information is also covered by the PIPA.

"This is good news. It gives businesses in Alberta some certainty as to which law governs," says the Commissioner. "The finding enables my Office to make arrangements with the Privacy Commissioner of Canada to coordinate our efforts so that we do not have two Commissioners knocking on the same door, with respect to the same issue," adds the Commissioner.

The PIPA allows the Commissioner to review the decisions of private sector organizations to deny an individual access to their own personal information, or to refuse a request for correction to their own personal information. Individuals may also make a complaint to the Commissioner if they believe their personal information has been collected, used or disclosed without proper authority or without their consent.

The Information and Privacy Commissioner is an independent Officer of the Legislature. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act, the Health Information Act, and the Personal Information Protection Act."

Right-to-Privacy Campaign presents 50,000-name petition opposing the privatization of government jobs

The British Columbia Government Employees Union, which started the USA PATRIOT ACT and outsourcing firestorm in BC a while ago, has presented a fifty-thousand name petition against privatizing government jobs by outsourcing:

BCGEU: Right-to-Privacy Campaign presents 50,000-name petition opposing the privatization of government jobs:

"The BC Government and Service Employees� Union congratulated Right-to-Privacy-Campaign representatives who turned over petitions totaling 51,203 names to the Opposition caucus in Victoria today, opposing the contracting out of Medicare and Pharmacare jobs to private companies.

...

While support for stopping the privatization of Medicare and Pharmacare jobs is welcome, President Heyman cautioned that all personal information in government data banks is at risk.

"The Campbell Liberals are proceeding with plans to contract out help desk, disaster recovery and many other services to the private sector," Heyman said. "If these contracts proceed, virtually every piece of confidential information handled by the government could be accessed by private multi-national corporations.""

Monday, October 25, 2004

Website privacy policy pointers

Thanks to Legal Technology Blog for leading me to this article that discusses contractual promises made in website privacy policies:
Law Technology News - Keeping Promises: Online Privacy Policies:

"Rethinking the boilerplate on your company's Web pages could help you avoid FTC sanctions..."

Though written from an entirely American perspective, it is of relevance to Canadians and other non-Americans thanks to the long-arm of the law. Courts can and do assume jurisdiction over operators of websites originating from outside their borders, particularly if the sites are "aimed" at their jursidiction. Canadian companies with an online presence have to seriously consider not only PIPEDA, but also the enforcement powers of the FTC.

Canadian Lawyer mentions Canadian blogging lawyers

The October 2004 edition of Canadian Lawyer magazine has a brief feature on Canadian blogging lawyers. It refers to Michael Fitzgibbon's fantastic blog, Thoughts from a management lawyer, Sharon E. Reashore's Elder Law in Nova Scotia and this blog, PIPEDA and Canadian Privacy Law. The article, which discusses the benefits of blogging for lawyers, is only available in the print edition.

Geist: Revise privacy law to expose offenders, block snoops

Michael Geist continues his argument in favour of stronger Canadian privacy laws in this week's LawBytes column in the Toronto Star:

TheStar.com - Revise privacy law to expose offenders, block snoops:

"With Industry Minister David Emerson scheduled to lead a parliamentary review of Canada's privacy legislation in 2006, it is time to consider how Canada can break from the pack by establishing a privacy law framework that combines the societal benefits of a strong privacy commissioner with an enforcement approach that leaves no doubt that privacy compliance is not to be taken lightly."

Annual Report on the Use of Electronic Surveillance, 2003

Public Safety and Emergency Preparedness Canada has just released (21 October 2004) its mandatory Annual Report on the Use of Electronic Surveillance, 2003. Thanks to Michael Power for the link.

Sunday, October 24, 2004

CBC's Marketplace investigates loyalty programs

Marketplace, the Canadian Broadcasting Corporation's consumer affairs program has just continued their series of privacy features by investigating two of the country's loyalty programs:

CBC Marketplace: Mining your business

"Our quest: to find out what companies do with your information - the personal stuff you provide on the sign-up sheet when you apply for a card ... and the information gleaned from your purchases when your card is swiped at the store."

Their investigation (with a small sample) confirmed the conclusions of Katherine Albrecht, of CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering), that loyalty programs do not result in real savings ...

"For some background on loyalty card programs, we headed to Harvard University, in Boston, Massachusetts. We met with a student and privacy activist named Katharine [sic] Albrecht. She's doing her doctoral thesis on loyalty cards.

In all her research, Albrecht says she's "been unable to find a single consumer benefit from using these cards."

But wait ... We thought these loyalty card programs were about saving consumers a dime. To test Albrecht's thesis, we did a little research of our own. We went shopping.

Among the interesting elements of the report is a view into the information that is collected by loyalty programs. The show's "consumer cadets" opened loyalty program accounts and subsequently requested access to their personal information. The responses from the companies are posted on the show's website.

Those interested may also wish to check out some of the materials released by the Public Interest Advocacy Centre in Ottawa, following their complaint to the Privacy Commissioner about the information collected by various organizations, including a high-profile loyalty program.

Bruce Schneider on RFID passports

Most followers of computer security and privacy news know about Bruce Schneier. (He is the author and editor of the Crypto-Gram newsletter and of Beyond Fear: Thinking Sensibly about Security in an Uncertain World.) In his recent blog entry about the security and privacy issues related to the reports that RFID will be added to American passports (see Wired News: American Passports to Get Chipped), he very clearly articlates the perceived privacy risks of adding this technology to passports. I would only add that the same risks are inherent in adding RFID to any identity document.

Schneier on Security: RFID Passports:

"October 04, 2004
RFID Passports

... But the Bush administration is advocating radio frequency identification (RFID) chips for both U.S. and foreign passports, and that's a very bad thing.

These chips are like smart cards, but they can be read from a distance. A receiving device can "talk" to the chip remotely, without any need for physical contact, and get whatever information is on it. Passport officials envision being able to download the information on the chip simply by bringing it within a few centimeters of an electronic reader.

Unfortunately, RFID chips can be read by any reader, not just the ones at passport control. The upshot of this is that travelers carrying around RFID passports are broadcasting their identity.

Think about what that means for a minute. It means that passport holders are continuously broadcasting their name, nationality, age, address and whatever else is on the RFID chip. It means that anyone with a reader can learn that information, without the passport holder's knowledge or consent. It means that pickpockets, kidnappers and terrorists can easily--and surreptitiously--pick Americans or nationals of other participating countries out of a crowd.

...

The Bush administration is deliberately choosing a less secure technology without justification. If there were a good offsetting reason to choose that technology over a contact chip, then the choice might make sense.

Unfortunately, there is only one possible reason: The administration wants surreptitious access themselves. It wants to be able to identify people in crowds. It wants to surreptitiously pick out the Americans, and pick out the foreigners. It wants to do the very thing that it insists, despite demonstrations to the contrary, can't be done.

Normally I am very careful before I ascribe such sinister motives to a government agency. Incompetence is the norm, and malevolence is much rarer. But this seems like a clear case of the Bush administration putting its own interests above the security and privacy of its citizens, and then lying about it."

Your ID and credit are worth ten bucks

Your ID is apparently worth about ten bucks. Today's New York Times has a feature on identity theft, its history, who are the criminals and what is being done to address the problem:

The New York Times > Business > Your Money > Identities Stolen in Seconds:

"....A spokesman for the Consumer Data Industry Association, the trade group representing credit reporting agencies, said consumers could put fraud alerts on their credit histories if they wanted to keep prying eyes at bay. Representatives of Visa and MasterCard, the two largest credit card associations in the country, say that they are guarding customer account numbers more carefully, for example, by deleting the numbers in mail and other documents delivered to customers' homes.

Sergio Pinon, the head of security and risk services at MasterCard, said that MasterCard was deploying computer systems that analyze the spending patterns of individual card users and pluck out anomalies in case a fraud is under way. Like Ms. Feddis, Mr. Pinon said that he was the victim of an identity thief, but that he stopped the fraud because his bank had quickly spotted an intrusion into his credit card account.

Both MasterCard and Visa also monitor Web sites that broker stolen credit card numbers and other personal information. 'One of the things we've discovered is that your identity is worth about $10' on the Internet, said Linda Locke, a MasterCard spokeswoman.

With identities so cheap, experts say that criminals who want to mask themselves inside the envelope of someone else's financial world will continue to have ample opportunities to express themselves.

'The only limitation to identity theft is the creativity of the thief, and that's scary because there's really no limit on creativity, is there?' Ms. Foley said. 'The tour guides on this crazy ride are the thieves, not us and not law enforcement, and as long as that continues it's going to be a problem.' ..."

Saturday, October 23, 2004

Update on UC Berkeley privacy breach

Further to UC Berkeley reports massive security/privacy breach , eWeek is reporting that the incident at UC Berkeley can be traced to the exploitation of a known vulnerability for which a patch was available, but not installed.
Hack at UC Berkeley Potentially Nets 1.4 Million SSNs:

"Hackers took advantage of a known vulnerability on an unpatched computer to potentially gain access to some 1.4 million names, Social Security numbers, telephone numbers, addresses and dates of birth at University of California at Berkeley, officials said Tuesday. ..."

Incident: Purdue computers hacked

eWeek is reporting that the computer network at Purdue has been hacked into and sysadmins are urging all users to change their passwords. The breach is still being investigated and there is no word on whether personal information has been disclosed:

Someone Hacked Into Purdue's Computers:

The school has not been able to determine whether the intruder obtained personal information. Ksander advised users to watch for signs that others might have obtained their personal information.

Alberta and British Columbia privacy laws declared to be substantially similar

The federal cabinet, on October 12, 2004, issued two very important orders, exempting organizations in Alberta and British Columbia from the application of PIPEDA: the provincial private sector privacy laws have been declared to be substantially similar to the federal law. Therefore, PIPEDA does not apply to the collection, use and disclosure of personal information by provincially regulated organizations that occurs within Alberta and British Columbia. (Surprise! PIPEDA will apply if you disclose it across provincial borders.)

PC2004-1163 relates to the Personal Information Protection Act (Alberta) and PC2004-1164 relatesto the Personal Information Protection Act (British Columbia). Both orders are long awaited. Neither have been "Gazetted", but they are effective on the date of registration, which was October 12, 2004.

(A big thanks to Michael R. Whitt, of Borden Ladner Gervais in Calgary, for sending me copies of the exemption orders ... and for his contribution to the privacy roundtable that Eloise Gratton and I moderated at the Canadian IT Law Association annual conference in Calgary this past week.)

Friday, October 22, 2004

BC Unions continue to slam privacy impact of outsourcing of IT services

More on the BC outsourcing privacy front: The British Columbia Government Employees' Union continues to attack the outsourcing of IT services, using privacy fears related to the USA PATRIOT ACT:
Privacy risks for 'hundreds and hundreds' of B.C. contracts

Gordon Campbell Liberals outsourcing IT contracts to U.S. companies

Vancouver - The British Columbia government has admitted that "hundreds and hundreds" of provincial contracts will be vulnerable to privacy concerns despite the passage of new controls by the legislature.

The province is in the process of outsourcing B.C. information technology (IT) contracts to American companies. The U.S. firms are subject to the Patriot Act, a sweeping piece of legislation passed following the Sept. 11, 2001, terrorist attacks on New York and Washington.

American courts have already ruled that the Patriot Act takes precedence over any privacy protections enacted by foreign governments.

Critics, led by the B.C. Government and Service Employees' Union (BCGEU/NUPGE), are strongly opposed to outsourcing of IT contracts because of this vulnerability.

Meanwhile, Joyce Murray, B.C.'s government services minister, acknowledged this week that the strengthened legislation will only apply to contracts signed after Oct. 12, not to "hundreds and hundreds" of already-existing contracts.

No deadline for compliance

Contracts signed prior to Oct. 12 will be brought into compliance with the new legislation "as soon as possible," Murray told MLAs in the legislature. However, she did not indicate how long this might take.

Diane Wood, the BCGEU's secretary-treasurer, says the revelations by the minister make an even stronger case against outsourcing IT contracts. In effect, U.S. companies awarded IT contracts will have no alternative but to break the law, she says.

“If they comply with the Patriot Act, they break B.C.’s law. If they follow our legislation, they risk prosecution in the United States,” Wood notes.

She also objects to the province forcing the amendments through the legislature before the B.C. Privacy Commissioner files a report on the Patriot Act and its potential impact on B.C. outsourcing contracts.

“The only way to ensure that our personal and confidential information is fully protected, is to keep it in our own government where it belongs,” says Wood. NUPGE"

BC's Bill 73 is sped through to royal assent

Bill 73, the British Columbia law to amend the Freedom of Information and Protection of Privacy Act (see BC Amends Public Sector Privacy Law) was blasted through the BC Legislature and received royal assent yesterday: BILL 73 -- 2004: FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY AMENDMENT ACT, 2004

Article: The problem with privacy

In Silicon Valley North, Rick Segal argues that privacy is overrated for customers looking for personalized services:

Silicon Valley NORTH: The problem with privacy:

"Privacy is really not all it's cracked up to be. For the most part it gets in the way of doing lots of useful things with technology. With apologies to the Society for Staying Out of My Life, it's an interesting venture capitalist's exercise to go through some possibilities when you suspend for a moment the fears of Big Brother... "

North Carolina psychiatrists debate how much therapeutic information should be provided to insurers

The tension between patient privacy and an insurer's interest in knowing what is being paid for has led to a significant conflict between certain North Carolina psychiatrists and an insurance company. The Psychiatric Times has a very thoughtful article on a battle raging between two psychiatrists and Blue Cross and Blue Shield of North Carolina.

This is very much a live issue here in Canada. Patients may not be aware of how much information is being transmitted to their insurers and fear of disclosure can have a significant impact upon the therapeutic relationship. At the same time, health professionals may inadvertently provide too much information, resulting in unintended consequences to the patient.

Patient Privacy Battle Hinges on Competing Interests:

"by Michael Jonathan Grinfeld
Psychiatric Times January 2001 Vol. XVIII Issue 1


One of the reasons that details surrounding a clash over the privacy of patients' records in North Carolina are shrouded in secrecy is that there are still aspects of the dispute that, ironically, remain confidential. The year-and-a-half-old battle, which started after a breakdown in the relationship between two psychiatrists and a major health insurer in the region, yielded privacy issues so critical that the American Psychiatric Association and the North Carolina Psychiatric Association (NCPA) ultimately agreed to jump into the fray.

At issue is a conundrum that will ultimately confront every psychiatrist in the nation and will, if not resolved in a way that reconciles competing interests, strike at the heart of mental health care: Can psychiatrists preserve patient confidentiality while at the same time providing enough information to insurers so they can get paid?

Unresolved questions abound: How much information can insurers justifiably request to ensure that health benefits are paid properly? Are benefits payers asking for so much information that they risk undermining the therapeutic relationships between physicians and patients, or, even worse, are they so intrusive that people won't seek care when they need it? Will physicians sacrifice their obligation to preserve their patients' most intimate revelations in order to ensure an uninterrupted income stream? ..."

Thursday, October 21, 2004

Alberta Commissioner responds to the Final Report of the Select Special Health Information Act Review Committee

Further to the report of the Alberta legislature's special committee reviewing the Health Information Act, the Alberta Information and Privacy Commisioner has responded via the following press release (further info at the same site):

Commissioner responds to the Final Report of the Select Special Health Information Act Review Committee:

"NEWS RELEASE

Edmonton, October 21, 2004

Frank Work, Alberta's Information and Privacy Commissioner, issued his comments today on the release of the Final Report of the Select Special Health Information Act Review Committee.

There are a number of positive outcomes arising from the Committee's recommendations including:

  • The authority to publish ethics committee research approvals on a website is a positive as it provides for increased openness, accountability and transparency for Albertans
  • Recommending against certain disclosures without consent, specifically disclosure for common or integrated government programs. The Commissioner believes this is an extremely broad category of disclosure without consent.

The Commissioner also had a number of concerns with some of the Committee's recommendations, including the failure to address substantive issues such as:

  • The issue of expanding the scope of the Act to include privately funded health professionals, organizations, and health clinics of post-secondary educational institutions was deferred to a committee of the Legislature to be established in early 2005. The Commissioner believes that this leaves a gap in legislation with no provincial access or privacy legislation for the privately funded health sector and needs to be addressed immediately.
  • Also deferred to the future 2005 committee:
    • whether genetic information should be explicitly addressed,
    • whether health service provider information should remain under the Act,
    • examining the need for more clear and transparent rules for the electronic health record, harmonizing the Act "
    • Also deferred to the future 2005 committee:
      • whether genetic information should be explicitly addressed,
      • whether health service provider information should remain under the Act,
      • examining the need for more clear and transparent rules for the electronic health record,
      • harmonizing the Act to the rules of the pan-Canadian health information privacy and confidentiality framework,
      • the Commissioner's request for the explicit right to conduct and compel information for purposes of conducting audits, and
      • the Commissioner's request for explicit power to enter into extra-provincial agreements and to consult and delegate extra-provincially.

    The Commissioner is not opposed to the creation of a discretionary authority for custodians to disclose limited registration information to law enforcement agencies for the purposes of obtaining search warrants or subpoenas. However, he opposes the creation of mandatory disclosure and reporting of health information to law enforcement and is concerned about the lack of certainty for custodians.

American Passports to Get Chipped

Wired News is reporting that the next generation of US passports will be "chipped" using RFID technology:

Wired News: American Passports to Get Chipped:

"...The RFID passport works like a high-tech version of the children's game 'Marco Polo.' A reader speaks out the equivalent of 'Marco' on a designated frequency. The chip then channels that radio energy and echoes back with an answer.

But instead of simply saying 'Polo,' the 64 Kb chip will say the passport holder's name, address, date and place of birth, and send along a digital photograph.

While none of the information on the chip is encrypted, the chip does also broadcast a digital signature that verifies the chip itself was created by the government. Security experts said the U.S. government decided not to encrypt the data because of the risks involved in sharing the method of decryption with other countries.... "

And thus is born the aluminum-lined password holder industry.

Wednesday, October 20, 2004

UC Berkeley reports massive security/privacy breach

Another in a series of significant privacy incidents has hit California universities. This time, a research database containing very sensitive personal information was penetrated. See the discussion on Slashdot and the article, below, from Security Focus:

SecurityFocus HOME News: California reports massive data breach:

"The FBI is investigating the penetration of a university research system that housed sensitive personal data on a staggering 1.4 million Californians who participated in a state social program, officials said Tuesday.

The compromised system had the names, addresses, phone numbers, social security numbers and dates of birth of everyone who provided or received care under California's In-Home Supportive Services program since 2001, says Carlos Ramos, assistant secretary of the state's Health and Human Services Agency. The program pays a modest hourly wage to workers who provide in-home care for hundred of thousands of low-income elderly, blind and disabled people.

Officials say they have not determined whether or not the intruder actually downloaded the database, which had been made available to researchers at the University of California, Berkeley under a confidentiality agreement. 'We don't know whether or not the information was accessed,' says Ramos. 'Since it is sensitive data we figured it would be best to get word out to people so they can take preventive measures just in case.' ..."

See also the California Department of Social Services information about this incident at: http://www.cdss.ca.gov/ihss/. The Department also has an FAQ related to the incident at http://www.cdss.ca.gov/ihss/IHSSSecuri_1720.htm.

Tuesday, October 19, 2004

Guest blogger: Mathew Englander's update on privacy and the CRIA file sharing lawsuit

Mathew Englander (http://www.mathew-englander.ca/) recently wrote to me about the latest developments in the CRIA lawsuit appeal. With his permission, I'm including his letter and I suggest taking a look at the appeal materials he refers to:

David,

A while ago you blogged about the decision by Justice von Finckenstein of the Federal Court (2004 FC 488) not to compel several ISPs to release information related to the identities of their subscribers alleged to have infringed copyright by file-sharing (pipeda.blogspot.com/2004/04/privacy-aspects-of-matter-of-bmg.html).

You may wish to run an update as the decision is under appeal to the Federal Court of Appeal. I have been reading the factums at CIPPIC's web site (http://www.cippic.ca/en/projects-cases/file-sharing-lawsuits/document-archives.html). The central issue on appeal is whether a plaintiff in a John Doe lawsuit needs to establish a "prima facie case" or just a "bona fide case" before an innocent third party is compelled to release information about the identity of the defendant.

This may seem like a dry legal distinction, but it has serious implications for privacy. The "prima facie" standard (which Justice von Finckenstein adopted as the first criterion of five; see paras. 13-14 of his decision) is stricter. As I understand it, it means that the plaintiff must provide some acceptable evidence on each element of the cause of action. The "bona fide" standard appears to mean that the plaintiff need only show that it honestly believes the defendants are liable. Having a stricter standard is more respectful of an individual's privacy since it requires more evidence before the court may order the individual's personal information released.

The Canadian Recording Industry Association was coordinating the legal action for the plaintiffs. It is interesting to look at its news releases on the matter (http://www.cria.ca/news.htm). For example, on March 12, after the first day of the hearing before Justice von Finckenstein, it issued a news release saying it was "confident" its motion would be granted.

The plaintiffs' motion was dismissed because of deficient evidence. CRIA had hired a company called MediaSentry to investigate music piracy. MediaSentry downloaded files from 29 users of peer-to-peer software, and came up with an IP address for each user at the time of download. The IP address could be linked with an ISP through whois queries, so the plaintiffs wanted the ISPs to disclose the real name, address for service, and other information about the holder of the account to which the particular IP address was assigned at the particular time.

However, there was no evidence at all as to how MediaSentry came up with the IP address of each peer-to-peer user. In addition, the affidavits tendered by the plaintiffs were full of hearsay with no explanation for why they did not provide affidavits from those with direct knowledge. It seems to me that this was a big screwup by the lawyers who prepared the motion material.

There were five ISPs named as non-party respondents to the motion: Shaw, Rogers, Bell Canada, Telus, and Videotron. All five are respondents on the appeal and each filed its own memorandum of fact and law. It is particularly interesting to read the ISPs' arguments. Only one, Videotron, is basically supportive of the plaintiffs. Bell Canada's position is ostensibly neutral, but its arguments are strongly opposed to the plaintiffs' appeal. The other three expressly argue that the appeal should be dismissed.

In my view, the decision of Justice von Finckenstein is solid and it is surprising that CRIA is even appealing it. Since these are just intended as test cases in any event, it might be better off going back to square one, having MediaSentry or some other company entrap some more alleged copyright-infringers and this time developing a stronger evidentiary base to bring to court.

Mathew Englander

Retailers demanding ID, tracking returns

The October 18, 2004 edition of Fortune Magazine points to an increasing practice of retailers demanding ID when customers return products. This has led to a flurry of complaints to the Canadian Privacy Commissioner (see "New Privacy Law Sprouts Forest of Complaints"). But the Fortune article refers to a new service that tracks shopping patters and the returns of individual customers. If you have a pattern of "excessive returns", your return will be declined.

FORTUNE - Magazine - Sorry, Your Return Is No Good Here:

"Walking through the mall a couple of weeks ago, Hayden Cobb, a 32-year-old systems engineer at Lockheed Martin, couldn't resist a few impulse buys. But after realizing that all his crisp new shirts didn't fit right, he headed back to the Express store near Atlanta, receipt in hand. The clerk asked for his driver's license, swiped it, and then handed him a small slip of paper that read 'Return Declined.' 'I was dumbfounded,' he says.

Cobb is just one of the many customers who are finding that returning merchandise isn't as easy as it used to be. Retailers including Express, the Limited, and the Sports Authority have begun tracking consumer return and exchange habits to help curb the $16 billion that stores lose in 'return fraud' each year. All the companies mentioned have enlisted California-based Return Exchange, a five-year-old for-profit company that stores customer ID and payment information and tracks shopping behavior, looking for patterns of fraudulent or excessive returns. The system also aimsto prevent 'wardrobing,' in which people (women in particular) buy clothes, wear them to a party, and return them the next day. 'We're not accusing you of being a thief,' says King Rogers, a consultant who advises Express on security matters. 'We're suggesting that you're not a profitable customer.' While stores have long reserved the right to refuse returns, shopper tracking has privacy watchdogs like Jordana Beebe of the Privacy Rights Clearinghouse alarmed (she's particularly worried that data across stores may eventually be aggregated)... "

Privacy and outsourcing fears in the UK

The latest SANS privacy bits contains the following report:

: "UK: Loophole in EU Data Protection Laws Puts UK Consumers at Risk (16 October 2004)

According to Peter O'Grady, assistant secretary of Lloyds TSB Group union, British consumers are at risk due to the outsourcing of call centers in India and other developing countries. Information given to call center operators in India by British consumers is not protected due to a legal loophole in the European Union (EU) data protection laws. His warning comes as Royal Sun Alliance, an insurance giant, announced it was sending 1,100 jobs to India.

-http://www.123bharath.com/world-news/index.php?action=fullnews&id=29206

Related Article: Royal Sun May Set Up Call Centre In Bangalore

-http://www.rediff.com/money/2003/sep/17bpo.htm

[Editor's Note (Murray): They are at it again. This is economic protectionism masquerading as a concern for privacy. (Triulzi): Unfortunately as the drive towards outsourcing continues these issues are going to become more and more relevant. India's government has been working to address data privacy issues although as of today it does not yet possess any legislation in the field. The real question should be: isn't the data ending up in too many different hands? A large insurer surely has data which should be closely guarded (e.g. medical claims) - what are they doing to guarantee the security of this data? ]"

The Radwanski Saga Continues

Just in case you thought that the Radwanski story had been told, a new chapter was tabled in the Parliament today, according to the Canadian Press:

Yahoo! News - Former privacy czar hired daughter of insider in return for access: report:

"OTTAWA (CP) - Hiring rules were so lax in the federal privacy commissioner's office that the daughter of a prime ministerial secretary was given questions and answers in an advance of a pre-ordained job interview, says a new report.

George Radwanski may be long gone but new details are emerging about his troubled tenure. A one-year follow-up report on the scandal, tabled Tuesday in Parliament, revealed that Danielle Bondar was hired to repay what Radwanski considered 'an important political favour.'... "

Thefts of government computers suggest huge losses of personal information

A Vancouver lawyer has compiled a scary bunch of statistics on losses of computers (and, by inference, data) from the Canadian federal government. See the article in the Globe & Mail:

Computer thefts hint at huge losses of data:

"Hundreds of computers were stolen from federal government offices last year, filched from such security-sensitive agencies as the RCMP, the Canadian Space Agency, Canada Customs and Revenue Agency, the Department of National Defence and the Privy Council, the operational arm of the cabinet."

Monday, October 18, 2004

Alberta legislature committee recommends changes to the Health Information Act (HIA)

A special select committee of the Alberta legislature has made fifty-nine recommendations for amendments to the Health Information Act (Alberta). The report is available from the website of the committee at http://www.hiareview.assembly.ab.ca/.

The text of the press release appears below:

Committee recommends changes to the Health Information Act (HIA):

"LEGISLATIVE ASSEMBLY OF ALBERTA

SELECT SPECIAL HEALTH INFORMATION ACT REVIEW COMMITTEE

October 18, 2004

Committee recommends changes to the Health Information Act (HIA)

Edmonton... Striking a balance between protections of privacy versus a need to know was one of the more challenging tasks before the Select Special Health Information Act Review Committee as they reviewed current legislation over the summer.

"Our focus was to review the Health Information Act to determine whether an appropriate balance has been achieved between protection of the individual's privacy and access to health information where appropriate to provide health services and to manage the health system," said committee chair Broyce Jacobs. "I think we achieved that."

With 72 written submissions and 15 oral presentations to consider during the review, months of consideration and deliberation have resulted in 59 recommendations being made by the committee.

The committee's first recommendation is that a future committee be struck in 2005 to address issues that require additional research and further consultation with stakeholders.

"There are a number of issues that require more time," explained Jacobs. "As well, there is intent to consider harmonization with a pan-Canadian health information privacy and confidentiality framework, which is not yet finalized and therefore could not be addressed by this committee."

The focus of this committee's recommendations deal with: the purpose of the Act, definitions, the scope of the Act, health service provider information, individual right to access health records, collection of health information, elements of consent, discretionary disclosure without consent, disclosure to police services, triplicate prescription program, genetic information, informed knowledgeable implied consent, disclosure for research purposes, duties and obligations to custodians, the Commissioner, substitute decision makers, offences and penalties and health information regulations.

A copy of the Select Special Health Information Act Review Committee's final report is available online at http://www.hiareview.assembly.ab.ca/ ."

Opinion: Privacy law perversely protects those who break it

Michael Geist's regular Toronto Star column this week is a strong argument in favour of changes to the reporting procedures at the Office of the Privacy Commissioner. At present, the Commissioner only releases very brief summaries of her findings that are cleansed of all information that could identify a party. The parties themselves are provided with a much more thorough analysis (see the examples posted by the Public Interest Advocacy Centre). As someone who reads them all to help advise clients, I can say that they are often so summarised that it is difficult to use them as a basis for advice. Michael argues that this only serves to protect those who break the law and proposed changes to the practices at the Privacy Commissioner's Office further undermines the utility of issuing findings:

TheStar.com - Privacy law perversely protects those who break it:

"...For Canadian privacy law to garner the respect it needs to achieve widespread compliance, the commissioner's office should consider several changes to its reporting approach. First, it should work toward a more timely release of findings, recognizing the import attached to them by the privacy community. Moreover, it should update findings that are challenged in federal court and refrain from removing findings from its site without public notice (as it did in one instance over the summer).

Second, the commissioner's office should stop adding an additional layer to the reporting system with its summaries of each finding and instead release the full text of Commissioner's report for each case (with only the complainant's identifying information omitted). The current approach adds unnecessary costs, leads to reporting delays, and fosters uncertainty within the privacy community on the degree to which the summary can be relied upon in future complaints.

Third, it should at long last exercise its power by identifying the targets of well-founded complaints. The Act empowers the Commissioner to "make public any information relating to the personal information management practices of an organization if the commissioner considers that it is in the public interest to do so." Critics of a "naming names" approach have pointed to this provision as a reason for keeping the parties anonymous, arguing that it cannot always be in the public interest to release identifying information.

In fact, changes at the commissioner's office suggest that the law provides plenty of support for a more transparent disclosure policy. Recent reports indicate that the commissioner's office is scaling back its disclosure of findings. Roughly half of all complaints are now settled through mediation and the commissioner apparently does not plan to release the details of those resolved cases. Moreover, where a finding involves a fact scenario that has previously been discussed in a reported case, a new finding will similarly not be issued.

As a result of these changes, the commissioner's office seemingly now plans to release only novel findings that cannot be settled.... "

Sunday, October 17, 2004

Nursing home privacy whistleblowers vindicated in Australia

An Australian government inquiry has vindicated a number of whistleblowing employees of a Melbourne nursing home. Among the incidents reported is one related to the privacy of the residents: "In a gross breach of privacy, residents' personal records were used as scrap paper for grocery lists and chores to be done around the home."

More coverage on the VeriChip implantable RFID chip

The media coverage arising from the FDA's approval of the VeriChip implantable RFID chip continues. The BBC, in its 'Magazine', has an article that thoroughly surveys the issues, from a technical overview to the theories of the tinfoil hat brigade:

BBC NEWS | UK | Magazine | Security under the skin:

"A US company has been given the green light to implant microchips in humans. It's intended to provide medical information ... but will it turn into a surveillance system?

How would you like to have the equivalent of a barcode built into your arm?

It would be convenient. A quick scan could save the need to show passports or ID cards. It would be handier than carrying cash or producing medical records.

And a particularly clever barcode would let people find you if you were lost or abducted.... "

Saturday, October 16, 2004

Data Miners Moving to Offshore Data Havens

Slashdot has an interesting new discussion stemming from an article that appeared in the Washington Post about former US Government data-miners who have fled to the Bahamas to avoid US privacy laws.

Slashdot | Data Miners Moving to Offshore Data Havens:

"Posted by michael on Saturday October 16, @06:03PM
from the data-arbitrage dept.

schwit1 writes 'Washington Post has an article about former TIA personnel moving their data mining operations offshore (Bahamas) to escape U.S. privacy rules, and to make a buck. I'm waiting for somebody to publish the private data (financial, medical, legal) of federal officials and their families on an open internet web server out of the Bahamas. Is this what it will take for the US to enact stringent privacy rules?' "

The discussion is interesting, as is the article it is based upon, but the participants have varying levels of understanding of privacy law.

More on privacy and Google's desktop search

Further to my earlier post, Article: A Closer Look At Privacy & Desktop Search, the Register has an article that includes comments from David Burns, CEO of Copernic: Google Desktop privacy branded 'unacceptable'. My favourite quote is "'Stick your hand up if you want Google to know what pictures you have, and what MP3 files you have". Worth reading.

Article: A Closer Look At Privacy & Desktop Search

Google has launched its desktop search product, which appears to be quite popular. Afterall, who wouldn't want to be able to search all the junk on their computer as easily as you can search the internet? As long as the product doesn't send any information back to Google (a la spyware), what are the privacy issues? Well, there are a few, particularly if you share your computer or your computer is not adequately secured on a network. Danny Sullivan, of Search Engine Watch, has a good article on things to think about when using a desktop search tool.

A Closer Look At Privacy & Desktop Search:

"The anticipated popularity of Google's new desktop search tool means that soon it will be commonplace for everyone to search their computers as easily, comprehensively and quickly as they search the web. After all, several of Google's competitors already are working on desktop search offerings of their own. So even if you don't use Google's tool, chances are, you'll use someone else's.

In short, a new era of search is being ushered in. With it comes some new issues about search privacy. We've already seen how people are sometimes shocked to discover that personal information about themselves is out on the web and made easily accessible through search. Our Search Engines & Legal Issues page recounts many such examples.

...

The same issues apply in general to desktop search. Search tools, like the new one from Google, will make it much easier to find and locate information on a particular computer. That shouldn't be a privacy issue, as long as ordinary security procedures are followed. Unfortunately, they often aren't."

Incident: Confidential Medical Records Found In Dumpster Behind Building

KVBC of Las Vegas is reporting on an incident in which confidential counselling records were apparently removed from a counselling centre and left in a dumpster for anyone to find:

Confidential Medical Records Found In Dumpster Behind Building:

"Suspected burglary at the Community Counseling Center leaves boxes of confidential files exposed. News 3 Investigator Darcy Spears tells us about the unlikely place the files were found. Counseling center staff were shocked when we showed them dozens upon dozens of private files in a wide open dumpster behind their building. They recovered everything, then called police to find out who would want to hurt those in the business of helping.

On the inside, the signs of respecting privacy and confidentiality are everywhere. But just outside the Community Counseling Center near Sahara and Maryland Parkway, we discovered a serious violation of that privacy. 'Social Security number, telephone number, address, psychological testing results.'"

Thursday, October 14, 2004

The new era of retail wants to be the old era of retail

Yahoo News is carrying a story on the use of wireless technology in the retail environment, Yahoo! News - 7-Eleven Adopting Wireless Technology. The focus is on 7-11 and slurpee inventory management, but there is a very interesting quote in the middle of the article:

"'Retailers are trying to get back to where they were in 1905,' said Cathy Hotka, a retail consultant in Arlington, Va. 'Back then they knew you, knew your credit, knew what you wanted to buy and how to stock it.' "

It is an interesting observation and I have little doubt that it is true. But today, I am not sure that this 1905 paradigm is what the shopper is looking for. Back then the relationship went both ways. Your local general store knew about your business, but the consumer knew the owner of the general store and most of its activities were out in the open. He wouldn't dare do anything nefarious with the customer's information because the customer would simply walk. It's a matter of trust. I think some retailers can get back to "where they were in 1905", but they have to do it with transparency and earned trust.

Wednesday, October 13, 2004

News: FDA approves injecting ID chips in patients

The United States Food and Drug Administration has approved a new technology that involves implanting a tiny chip into the forearm that contains a unique serial number that is linked to a database containing an individual's medical records. The device is not yet listed on the FDA's website's Medical Devices Approval list, but there are reams of coverage linked from Google News.

See, for example, the following article from ZDNet:

FDA approves injecting ID chips in patients | Tech News on ZDNet:

"The U.S. Food and Drug Administration has approved the practice of injecting humans with tracking devices for medical purposes, according to a Florida company that makes the devices.

Applied Digital, maker of the implantable VeriChip for humans, announced Wednesday the FDA's approval of its technology for use in hospitals following a yearlong review by the agency.

The computer chips, which are about the size of a grain of rice, are designed to be injected into the fatty tissue of the arm. Using a special scanner, doctors and other hospital staff can fetch information from the chips, such as the patient's identity, their blood type and the details of their condition, in order to speed treatment.

...

Medical data is not stored on the devices, also known as radio frequency identification chips. Rather, it's stored in a database that links the chips' unique serial numbers with patient data. In its review, the FDA carefully studied the privacy issues around the technology, specifically the risk that medical records could be improperly disclosed, according to Applied Digital... "

Tuesday, October 12, 2004

Privacy Note: Privacy Risks of Electronic Communication

National Privacy Services has launched a month privacy newsletter to keep clients and others updated on privacy issues. It is designed to be a practical resource for businesses. You can subscribe by clicking the link on NPSi's website (http://www.privlaw.com).

The first edition of Privacy News contains the following article that I wrote:

Privacy Note: Privacy Risks of Electronic Communication

The same communication technologies that have revolutionized our workplaces, made workers more efficient and have freed us from our desks also pose particular privacy risks that need to be carefully considered to minimize the risk of accidental disclosure of personal information.

Virtually every privacy code and statute requires that custodians protect personal information against accidental disclosure. This obligation exists at every stage: from collection through storage to ultimate disposal. Virtually every means of communication comes with the risk that the information transmitted may be intercepted or misaddressed.

This risk is significantly heightened, however, with more recent and modern means of telecommunications. Letters can always be misaddressed, but the risk is relatively low if envelopes are individually hand-addressed, one at a time. Faxes and electronic mail take that risk to a whole new level. If a conventional phone number is misdialed, this fact immediately comes to the attention of the calling party. The call can be quickly and politely ended before any information is disclosed. A misdialed fax, on the other hand, will often be completely undetected to the sending party, particularly if another fax machine is reached at the other end of the line, producing a transmission report that simply states the fax was successfully sent. Electronic mail has very similar issues, as anybody who has accidentally clicked on "reply to all" can easily attest. In addition, auto complete features of some email systems may mean that a message may be sent to the first person matching a particular name in your address book, even if they were not the intended recipient. For example, an email meant for Sue Smith may be sent to Ann Smith if the sender is not paying sufficient attention. In addition, electronic mail messages are less secure than postcards because they routinely pass through the computer systems of complete strangers on their way to the final destination. An email message between neighbours using different internet service providers may actually leave the country before finally being routed to the proper inbox.

Health care organizations have always needed to be concerned about this in light of their ethical and professional obligations of confidentiality. New privacy laws, however, bring this issue to the fore once again. Most private sector health care providers now have a legal obligation to protect that information against disclosure and a person whose information is disclosed may be able to seek damages for the leak. In addition, some privacy laws require the custodian of that information to let the individual know that their information was accidentally disclosed. A recent example from the American media involved a hospital that accidentally sent patient records by fax to the newsroom of the local newspaper. Under Canadian laws, that media outlet is unrestricted in what it can do with that information once it has it in its custody. The hospital will consider itself lucky if a report describing its mistake only ends up on the front page of the paper.

A recent finding from the Office of the Federal Privacy Commissioner admonished an employer for allowing medical information about employees to be received at a central fax machine in their HR department. Incoming and outgoing faxes must be additionally secured, particularly when they send or receive sensitive personal information.

So what is an organization to do to secure the transmission of personal information against accidental disclosure? The following checklist provides some guidance:

  • Consent to communicate by email should be obtained from the individuals in question, because email communications might be received by unintended parties. Workplace email systems may be routinely monitored by the employer and some people may give others access to their email box, for example to a secretary or a colleague if the individual is on vacation. Home email addresses may be used by a number of members of the same household, posing the risk that a sensitive message may be received by a number of members of that household.
  • Email communications should be encrypted wherever possible.
  • The "auto complete" feature of email systems should be disabled, requiring the full name of an individual recipient before a message is sent.
  • Regularly called fax numbers should be programmed into the auto dial feature of fax machines. In the Health care setting, separate fax machines should be used: one for patient information and a second for other communications. Only vetted health care providers should be entered on the speed-dial feature of the patient information fax machine.
  • Clear consent from patients or customers should be obtained before email or fax is used to communicate sensitive personal information.
  • Facsimile cover pages should suggest that any unintended recipients contact the sender as soon as possible so that any harm done from the accidental disclosure can be mitigated as much as possible.

For more information on how to secure your organization, and your communications, against accidental disclosures of personal information, please contact National Privacy Services at 1-877-PRIVLAW.