Monday, May 31, 2004

Resource: Organizations' Guide to Complaint Investigations under PIPEDA

The Office of the Privacy Commissioner has just published a handy guide for organizations facing investigations under PIPEDA. For companies in this unhappy position and the lawyers who advise them, this brief guide will probably be very useful:

Fact Sheet: Organizations' Guide to Complaint Investigations under the Personal Information Protection and Electronic Documents Act - Privacy Commissioner of Canada:

An individual has filed a complaint against your organization with the Office of the Privacy Commissioner of Canada.

What happens now?

Our Investigations and Inquiries Branch will review the complaint and an investigator will be assigned to the case.

What is the investigator's role?

The investigator's job is to gather the facts related to the complaint and make recommendations to the Commissioner. These recommendations are based on an analysis of the facts within the framework of the Personal Information Protection and Electronic Documents Act. ..."

Saturday, May 29, 2004

Presentation: PIPEDA and Physicians - MSNS AGM 2004

I was recently invited to give a presentation to the Annual General Meeting of the Medical Society of Nova Scotia on the impact of PIPEDA on physicians. (See presentation: PIPEDA and Physicians - MSNS AGM 2004.)

Since last year, I have been working with National Privacy Services and the Medical Society to design an easy-to implement solution for busy physicians. In our experience, most physicians don't have the time or the inclination to design their own compliance program. And as small business people with tightening revenue, physicians don't have the resources to engage a privacy lawyer to assist them. (Perhaps as important, most doctors don't know about the law, let alone what they need to do to address it.)

The final product is the Physician's Privacy Manual, which includes a complete suite of products that a physician can implement in his or her practice. The Manual includes:

  • Privacy training manual (the only one of its kind designed from the ground up to address privacy in the private practice;
  • Policies and procedures to adopt in the practice;
  • Consent form for affirmative, opt-in consent;
  • Educational tools, including a privacy statement for patients and poster; and
  • Multi-media CD with a one-hour overview of PIPEDA and its requirements.

The procedures and tools contained in the Physician's Privacy Manual have been extensively field tested in private practices and subjected to review by a wide range of physician focus groups. For more information, contact National Privacy Services at or (toll free) at 1-877-PRIVLAW.

BC privacy watchdog seeks US government, FBI input in Patriot Act

The British Columbia Privacy Commissioner has released a statementthat he will begin an inquiry into the impact of the US Patriot Act on the privacy of British Columbians. Specifically, he is concerned that US federal authorities will have access to personal information of British Columbians if a US company is used as the outsourced service provider for various public services.

Here are links to articles from Google News:

Pending inquiry, government should halt its plan to give private ...
BCGEU, Canada - 11 hours ago
The provincial government should immediately halt plans that would put private information on every British Columbians into the hands of US firms, pending a ...

BC privacy watchdog seeks US government, FBI input in Patriot Act ...
Canada East, Canada - 14 hours ago
VICTORIA (CP) - The FBI and US Attorney General John Ashcroft are being asked to contribute to a British Columbia study of the US Patriot Act. ...

Patriot Act probe begins
CBC British Columbia, Canada - 14 hours ago
VICTORIA - BC's Privacy Commissioner has launched a review of the impact of the US Patriot Act on government plans to contract out the Medical Services Plan to ...

BC privacy czar to study US Patriot Act
CTV, Canada - 12 hours ago
VICTORIA — The FBI and US Attorney General John Ashcroft are being asked to contribute to a British Columbia study of the US Patriot Act. ...

Friday, May 28, 2004

Article: ID Theft from Medical Records

A recent story from Baltimore, MD, highlights the vulnerability of personal information and the need for vigilance. People trust their doctors to maintain their confidentiality, but this trust can be betrayed by unscrupulous employees.

Making Medical Records Identity-Theft Proof

POSTED: 8:47 am EDT May 27, 2004

BALTIMORE -- You trust your doctor to maintain your health but what about your privacy?

Patients from one doctor's office thought their personal information was protected. They were wrong.

WBAL-TV 11 News I-Team reporter Barry Simms discovers how easily your security can be breeched.

Anne Knoeller thought her personal information was secure until an unusual phone call...

Knoeller: "He said check your credit report."

The caller -- a Baltimore County police detective. He told her, "your information's been taken out of a doctor's office."

She was shocked. The alleged thief -- a medical assistant trusted with private patient information. 21-year-old Chanell Cole of Baltimore worked at Hunt Manor Medical Associates in Phoenix. The practice is affiliated with the Greater Baltimore Medical Center....

Full text here ...

Wednesday, May 26, 2004

Article: Google's GMail faces fight on privacy

Privacy International has filed a complaint against GMail, Google's new web-based e-mail service that offers 1GB of storage. The complaint has been filed in a number of jurisdictions, including Canada.

Privacy International: "PI intensifies pressure on Google's Gmail service

Privacy International has filed a complaint asking the privacy and data protection commissions in France,Germany, the Netherlands, Greece, Italy, Spain, Czech Republic, Belgium, Denmark, Sweden, Ireland, Portugal, Poland, Austria,Australia and Canada along with the European Commission and the EU Commissioners internal Article 29 Data Protection Working Group to investigate the serious privacy problems that Google's Gmail service poses."

The most reported aspect of the privacy concerns revolve around Google's intention of serving ads that are based on the content of e-mails. There is also a concern related to the amount of storage offered and the risks that may be associated with it.

See the following media coverage:

London Free Press: Business Section - Google faces fight on privacy: "Google's free e-mail service, Gmail, has come under attack by privacy rights groups that claim it violates privacy laws in many countries. Many Internet service providers (ISPs) offer free e-mail with a limited amount of space to store messages. Gmail's generous 1GB storage capacity comes at a price -- the user's exposure to targeted advertisements based on the contents of their e-mails.

Google's free e-mail storage capacity is more than 100 times that offered by established rivals such as Yahoo and Hotmail. The service is promoted as a means for a user to create a centralized and permanent e-mail archive.

Privacy International filed complaints against Gmail with privacy regulators in Australia, Canada and 15 countries in Europe. " > News > Technology -- Google's free Gmail service comes under fire overseas: "Google's free e-mail service Gmail is under fresh fire from an international privacy rights group that said the soon-to-be-launched service violated privacy laws across Europe and elsewhere.

Privacy International, which has offices in the United States and Europe, said it filed complaints with privacy and data-protection regulators in Europe, Canada and Australia. It had already filed an initial complaint in Britain. "

Bits & Bytes for April 22, 2004: "Google Pressured On Privacy

Yet more Google news: the search giant's plans to include contextually targeted ads in its still-in-beta free e-mail service, Gmail, have drawn more fire.

The search giant intends to have its technology scan the content of e-mail messages, and target ads accordingly. The plan has generated privacy concerns and widespread criticism.

The free consumer service comes with 1 gigabyte of storage and the ability to easily search through old messages. The price of that is letting the company apply its highly successful keyword-advertising infrastructure to the content of the messages. Privacy International is the latest group to protest on grounds of privacy. The group filed a complaint Monday asking privacy and data protection commissions in sixteen countries to investigate potential invasion of consumers' privacy.

The international electronic privacy watchdog complained that the proposed service violates several statutes of the European Union's Data Protection law.

Google says what's drawing concern is what computers are capable of doing, not what the company does in reality. 'We pride ourselves in protecting users' data and holding ourselves to the highest standard,' said Wayne Rosing, VP of engineering for Google.

'We do not keep that data in correlated form, it's separated in various ways and we have policies inside the company that do not allow that kind of correlation to happen. We consider any program or programming that correlates user data with user identity to be a violation of trust and we do not do that,' said Rosing."

Monday, May 24, 2004

Thanks: This blog named "website of the month"

Thanks to the Canada/BC Business Services Society and eBusiness Connection for naming this blog "website of the month".

eNews: "Website of the Month

Looking for more details about how recent privacy legislation changes are affecting how you do business? Be sure to bookmark David Fraser�s Canadian Privacy Law blog. This online journal presents the writings of a Canadian privacy lawyer. Here, Fraser outlines the developments in privacy law containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws."

Article: Public supportive of strict rules for telemarkers

From today's Toronto Star:

" - Public supportive of strict rules for telemarkers

How to make `do not call' list work



Doesn't just the sight of the word make your blood boil? Not that all telemarketers are bad, it's just that the very word conjures up the image of dinner-time interruption and an uncomfortable phone conversation that usually ends with the handset crashing to its base.

To its credit, the Canadian Marketing Association is trying its best to separate itself from insensitive, rogue marketers who insist on bothering us at the worst of times and, despite our pleas, call back over and over again, or worse, defiantly challenge us when we say, 'Sorry, not interested.'

The problem is, the CMA only has 800 members - all big, respectable companies with reputations to protect and enough sense to listen when we ask to be removed from their respective calling lists."

Full text here ...

Article: U.S., Canadian firms worlds apart on privacy

Today's Toronto Star reports the results of a study comparing the privacy practices of Canadian and US companies:

" - U.S., Canadian firms worlds apart on privacy:

Compliance, security are aims in states
In Canada, privacy seen as good business


Canadian and U.S. companies have vastly different attitudes and motivations when it comes to protecting the privacy of their customers, according to a cross-national study to be released this week.

The study, the first to compare the corporate privacy practices of comparable Canadian and U.S. firms, found that Canadian businesses see their privacy practices as an opportunity to improve relations with customers, while their U.S. counterparts viewed privacy measures more as a way of complying with legislation and avoiding civil lawsuits.

Indeed, 61 per cent of surveyed Canadian companies linked 'good privacy practices' to customer trust and brand loyalty, compared to only 17 per cent of U.S. companies."

Full article here ...

Saturday, May 22, 2004

Privacy Officer Training: Toronto, Ottawa, London

National Privacy Services Inc. will be offering its unique privacy officer training course in London, Toronto and Ottawa, Ontario in the month of June.

Unlike most "privacy seminars" (which I have found to be rambling, too theoretical and disjointed), NPSi's offering is very practical, hands-on and leaves attendees with solid skills and tools to either begin the compliance process for their organizations or to increase their competence in critical skills.

For more information, check out NPSi's training schedule or the links to the individual sessions above.

Friday, May 21, 2004

Thanks for the link! beSpacific: Blog on Canadian Privacy Law Issues

Thanks to Sabrina I. Pacifici for the link from her very useful and frequenly updated beSpacific blog. I never knew until yesterday that Sabrina is also the creator of the fantastic LLRX.

beSpacific: Blog on Canadian Privacy Law Issues
Attorney David T.S. Fraser's blog on the Personal Information Protection and Electronic Documents Act and Canadian privacy law issues provides a wealth of resources, commentary and links, frequently updated, from his home base in the wonderful city of Halifax.

Federal Cabinet adds to the list of "investigative bodies" under PIPEDA

On 30 March 2004, the Canadian cabinet passed an order-in-council adding to the list of bodies with "invetigative body" status under PIPEDA.

Organizations that receive this designation are able to take advantage of the consent exceptions contained in Section 7 of PIPEDA that specifically apply to investigative bodies. In particular, Section 7(3)(d) and (h.2) allow certain disclosures of personal information without consent:

(3) For the purpose of clause 4.3 of Schedule 1, and despite that note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is …

(d) Made on the initiative of the organization to an investigative body, a government institution or a part of a government institution and the organization

(i) has reasonable grounds to believe that the information relates to a breach of an agreement or a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, or

(ii) suspects that the information relates to national security, the defence of Canada or the conduct of international affairs; …

(h.2) made by an investigative body and the disclosure is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province; or … .

The amendments add a number of professional regulators to the list, as well as private investigators.

See the full text at the Canada Gazette web site:

"Vol. 138, No. 8 - April 21, 2004

SOR/2004-60 30 March, 2004


Regulations Amending the Regulations Specifying Investigative Bodies

P.C. 2004-327 30 March, 2004

Her Excellency the Governor General in Council, on the recommendation of the Minister of Industry, pursuant to paragraph 26(1)(a.01) of the Personal Information Protection and Electronic Documents Act (see footnote a), hereby makes the annexed Regulations Amending the Regulations Specifying Investigative Bodies. "

Wednesday, May 19, 2004

PIPEDA and Video Surveillance: Guidance from the Ontario Courts

I recently blogged about PIPEDA and Video Surveillance, particularly in the insurance claims process. We are finally getting some guidance from the courts on how PIPEDA will be applied in litigation.

Since the Personal Information Protection and Electronic Documents Act (“PIPEDA”) came into full effect on January 1, 2004, insurers have been concerned about what impact this legislation might have on their claims handling processes and the ability of claims personnel to order video surveillance of claimants. There has been a fair amount of uncertainty and, while the issues are not entirely resolved, we are beginning to receive some guidance on how the courts will deal with the intersection between privacy rights and litigation.

The Ontario Superior Court of Justice recently issued a decision in the matter of Ferenczy v. MCI Medical Clinics. In this case, the insurer ordered video surveillance of the claimant, which was used at trial to impeach the claimant’s testimony. An objection was raised by the Plaintiff’s counsel on the basis that the video surveillance was conducted in violation of PIPEDA and should therefore be inadmissible in court. In the absence of the jury, Justice Dawson considered this issue and reached a number of notable conclusions.

PIPEDA applies with respect to personal information that is collected, used or disclosed in the course of “commercial activities.” When the law applies, it requires the knowledge and consent of the individual concerned for the collection, use or disclosure of his or her personal information. There are a number of exceptions to the consent principle contained in Section 7 of the statute.

Justice Dawson concluded that litigation of third-party claims is not “commercial activity” for the purposes of PIPEDA. (Please note that this is likely not the case for a first-party claim, such as under a disability policy or for Section B benefits.) Justice Dawson also concluded that, if PIPEDA applied, the Plaintiff implicitly consented to the collection of personal information via video surveillance by the act of putting forward the claim. Finally, Justice Dawson also concluded that the exception to the consent principle contained in Section 7(1)(b) was applicable.

Lawyers in our privacy and insurance law groups have been recently involved with a number of PIPEDA complaints against insurers initiated by plaintiff’s counsel. While the complaints are not yet resolved, insurers would be well advised to anticipate that such complaints may become commonplace until these matters are clearly resolved by the Privacy Commissioner or the Federal Court. It is possible that the Privacy Commissioner’s conclusions will differ from those of Justice Dawson, further complicating matters for insurers.

Article: New drug tracking laws introduced in PEI

PEI is introducing a law to faciliate sharing of prescription data ...

New drug tracking laws introduced
WebPosted May 17 2004 08:17 AM ADT

CHARLOTTETOWN � The Binns government is making moves to allow pharmacies to share information more freely. In part, the new law would help pharmacies identify people who are abusing prescription drugs.

The goal is to stop people from getting prescriptions from more than one doctor, or having multiple prescriptions from more than one pharmacy."

Full article ...

Tuesday, May 11, 2004

Article: U.S. Patriot Act worries Privacy Commissioner

There has been no shortage of spilled ink (or spilled electrons) on the impact of the US Patriot Act on the privacy of Americans. One aspect of the law has raised the ire of the Privacy Commissioner of British Columbia. He alleges that the law puts Canadian privacy at risk because it reaches into American companies that handle Canadian personal information, in Canada:

U.S. Patriot Act worries Privacy Commissioner:

"U.S. Patriot Act worries Privacy Commissioner
WebPosted May 11 2004 02:28 PM PDT

VICTORIA - B.C.'s Privacy Commissioner is asking the provincial government for extra money to examine the ability of U.S. authorities to access confidential information in Canada

The U.S. Patriot Act allows American law enforcement agencies to access private information held by U.S. companies.

That could include include information held by Canadian subsidiaries of U.S. companies. "

Full text here ...

Article: Canadian Feds launch spam task-force reports on a new initiative launched by Canada's Industry Minister:

Feds create task force to attack spam problem:

"As part of a wider effort to crack down on senders of fraudulent e-mail, the federal government Tuesday announced the creation of a new spam task force.

Among other initiatives, the task force of public- and private-sector representatives will review the use of existing anti-fraud laws as well as any 'regulatory and legislative gaps' that might inhibit law enforcement agencies from bringing spammers to justice.

The task force�s overall goal is to identify measures to reduce or control spam.

'The government must ensure that existing legislation' addresses the spam problem, Industry Minister Lucienne Robillard told an Ottawa audience. "

Full story here ...

Saturday, May 08, 2004

Incident: Computer System at U.C. San Diego Hacked

From today's Yahoo News:

Yahoo! News - Computer System at U.C. San Diego Hacked:

"Computer System at U.C. San Diego Hacked
Fri May 7,11:55 PM ETAdd U.S. National - AP to My Yahoo!

SAN DIEGO - Hackers broke into the computer system of the University of California, San Diego, compromising confidential information on about 380,000 students, teachers, employees, alumni and applicants.

Investigators urged those affected to guard against identity theft.

Hackers infiltrated four computers that stored Social Security (news - web sites) and driver's license numbers in the university's business and financial services department. Investigators are unaware of any illegal use of the data.

University officials discovered the security breach April 16 after noticing a spike in traffic on the network.

In December, more than 178,000 San Diego State University students, alumni and employees had personal information exposed by hackers who broke into a university computer server. The FBI (news - web sites) and campus police investigation found computers used for the hacking were on the East Coast.

Last month, the San Diego Supercomputer Center, which is on the UCSD campus, was infiltrated by a hacker, although officials said no critical information was lost. "

Thursday, May 06, 2004

Article: Computer glitch gives out free gasoline

Over the last few months, I've written a couple of blog entries[1] about swiping drivers' licenses and the information that discloses. Today's Boston Globe has a funny spin on some consequences for people who voluntarily swiped their licenses instead of credit cards: / News / Odds & ends / Computer glitch gives out free gasoline:

"Computer glitch gives out free gasoline
May 5, 2004

PITTSFIELD TOWNSHIP, Mich. -- You can pump, but you can't hide. Some motorists in Michigan have found out the hard way that you can't just gas and go.

They discovered that because of a computer glitch they could swipe their drivers' licenses instead of credit cards to gas up for free at the pumps outside the Meijer chain.

A total of 107 people figured it out, many of them students from nearby colleges in Ypsilanti and Ann Arbor.

In some cases people got as many as 15 fillups over a three-week period. Meijer got hosed for thousands.

But it turns out the information from each transaction with a drivers' license was stored on computer and police are tracking down the culprits."

See "Data toolkit and license decoder", "Decode your barcode, get your personal info", "Great taste, less privacy", and "Bar scheme could breach privacy rules".

Article: Black box shows car crash data

Today's Globe and Mail has an article about "black boxes" in recent cars that, if I undersand them correctly, record data for the five seconds before tha airbags inflate. Much of the coverage related to them (See Google News Search) has focused on the privacy aspects of these devices. - Black box shows car crash data:

"EDR could be either an eye-glazing acronym or the difference between you and the other driver paying huge sums of money or going to jail. And it's getting lots of attention since a Montreal man was sentenced to 18 months on evidence from his car's event-data recorder.

The revelation of the existence for a decade of the automotive event-data recorder is almost as momentous in traffic-law and civil-court terms as finding DNA was in criminal law.

If your vehicle has airbags, if you have a smart adjuster or lawyer and providing you don't drive like a maniac, proving who is in the wrong can be a lot easier.

But, if you're a little paranoid, certain that there is a Big Brother and that you're the object of his attention, and you drive on the wild side, you could see the EDR as part of a conspiracy to stick it to Canadian drivers."

Monday, May 03, 2004

Article: Audit finds sensitive information about Canadians improperly handled by RCMP

From the Canadian Press wire:

Yahoo! News - Audit finds sensitive information about Canadians improperly handled by RCMP:

"Audit finds sensitive information about Canadians improperly handled by RCMP

Sun May 2, 3:36 PM ET

OTTAWA (CP) - Sensitive tax and customs files shared with RCMP investigators could go astray due to lax procedures within the national police force, an internal audit reveals.

Auditors found widespread confusion over the classification of documents, an outdated list of RCMP personnel with security clearances and ignorance of rules for handling information from customs and revenue officials.

The February audit report, obtained by The Canadian Press under the Access to Information Act, points to heightened public fears about such personal information falling into the wrong hands.

'The issue of privacy rights and the use and exchange of information collected by the federal government has received much attention over the last few years,' says the report. "

Full text here ...

Sunday, May 02, 2004

Article: Hey kid - you wanna buy a ...

The Christian Science Monitor has published an article on issues related to the privacy of children's information, particularly information that is compliled for marketing purposes. The United States already has legislation that deals with the privacy of kids' information online (the Children's Online Privacy Protection Act), but there is -- at present -- no regulation of offline collection and marketing. This will change if a legislative initiative by Senators Wyden and Stevens is passed by congress (see

Hey kid - you wanna buy a ... |
"With Gary Ruskin at its helm, Commercial Alert has gained recent attention on Capitol Hill for its "Parents' Bill of Rights."

The document includes nine provisions to help parents combat commercial influences, one of which calls for banning advertising aimed at children under 12 and two of which have already been introduced in the US Senate.

The first bill under consideration requires fast-food chains to disclose basic nutritional information, and the other, introduced last month by Sens. Ron Wyden (D of Oregon) and Ted Stevens (R of Alaska), would ban list brokers without parental permission from collecting data about children 16 and under - everything from ethnicity and family income to hobbies - and selling it to advertisers and marketers.

This practice extends even to the diaper set, which is especially alarming to parents. But no matter what the child's age, parents consider these lists an invasion of privacy.

"Parents are flabbergasted and angry when they learn that their child's information could be sold on the Internet," says Chris Fitzgerald, press secretary for Senator Wyden.

"These list brokers work by stealth," says Mr. Ruskin. "No one even knows this is happening. Children are naturally more trusting than adults, and that trust is often easy to exploit."

Repeated calls to two of the best-known list brokers, American Student List and Student Marketing Group, were not returned. But Doug Wood, general counsel to both the Association of National Advertisers and the Advertising Research Foundation, spoke up in list brokers' favor. Banning them, he says, would be discriminatory and a violation of the First Amendment.

He doesn't even favor an "opt out" feature similar to the Do Not Call Registry for telemarketers."There would be a huge rush of parents who sign up out of ignorance," Mr. Wood explains. "Some of the things they sell to kids are valuable. The fact that we are a nation of sellers is not necessarily a bad thing."

But Wood, who has three children, does concede that list brokers might want to tweak their approach: "They could do themselves a favor by being more open," he says.

The Children's Listbroker Privacy Act will be heard sometime before October, says Courtney Schikora, press secretary for Senator Stevens. That may not be soon enough for some activists, but most are encouraged that politicians are listening.

See also coverage in Wired.