Monday, June 28, 2004

Article: The PIPEDA puzzle

The online business publication, ProfitGuide has an article on PIPEDA that is worth looking at.

The PIPEDA puzzle:

"Recent judgments prove Canada's new privacy act has surprisingly long arms

By Laura Garetson
PROFIT Magazine / June 2004

It's 2:25 P.M. Two employees, certain no one is watching, slip into their cars and drive away from work 35 minutes early. But the shift supervisor sees the entire incident with the aid of a security camera and doles out reprimands the next day. The employees take the boss to court, arguing the camera invaded their privacy. True or false: the employees win? "

One thing that it didn't highlight is that PIPEDA only applies to employees if they are employees of a "federal work, undertaking or business". (See by blog entry "PIPEDA and Employees".)

From my perspective, the article does a good job of telling businesses that PIPEDA is for just about every organization:

"Clearly, PIPEDA is not solely the concern of telemarketers and mailing-list brokers. So how can your firm avoid falling afoul of the act? The trick is realizing that PIPEDA applies not only to personal information collected on paper or electronically, but from all sources, including various correspondence, pictures, sound recordings and videotape. "Businesses need to focus not just on info they collect from individuals, but on everything they learn about those about individuals," says Robert Parker, Toronto-based national privacy partner with Deloitte and Touche. The key, according to Parker, is to ask yourself the following when collecting personal information: "Is this reasonable to do? Was it reasonably done? Are there less intrusive methods I could use?" That, he says, is a good start to covering the bases."

Friday, June 25, 2004

Article: Better office privacy sought

You don't often see media stories about this issue, but it clearly is one that businesses have to start dealing with in the PIPEDA age. I've seen many insurance brokers whose offices are nothing but short cubicles, where any conversation is easily overheard and computer monitors are visible from anywhere in the room. The safeguards principle from PIPEDA requires that personal information be protected against accidental disclosure and an environment where there is no soundproofing barrier clearly does not qualify:

Decatur Daily Democrat:

"Better office privacy sought

By J SWYGART

The Poor Relief office located in the Adams County Service Complex is suffering from growing pains. Or, more correctly, from privacy pains.

Dan Bieberich, Root Township trustee and chairman of the consolidated poor relief office, which serves the needs of poverty-level families and individuals in 11 of the 12 townships in Adams County (Washington Township has its own poor relief office) told county commissioners on Monday that the single room used by the agency at its Complex location results from time to time in 'privacy problems.'

'It's nothing we can't live with right now. We have a sufficient amount of square footage, but it's something we need to address in the future,' Bieberich said. 'We are running into privacy issues when interviewing some applicants, by having just a single room where anyone can walk in.'

Bieberich asked the commissioners if another room in the Complex is available for use, or if a wall could be constructed in the agency's current room.

Steve Krull, the county's buildings and grounds supervisor, was instructed by the commissioners to research the options and put together a cost estimate to modify the existing Poor Relief office.

'Unless there's a major expense, let's go ahead with this,' said Commissioner Doug Bauman."

Thursday, June 24, 2004

Campaign in BC to prevent outsourcing of medical info management to US company

The BC Freedom of Information and Privacy Association has a report about a campaign launched to prevent the BC government from ousourcing the management of the BC Medical Services Plan to an American company. The fear is that once the info is in the hands of an American firm, it will be within easy reach of the FBI and others, thanks to the USA PATRIOT Act.

'Right to Privacy Campaign' launched to protect individuals' privacy by stopping Maximus deal:

A diverse and growing group of rights, health, union and other organizations has launched a province-wide campaign to demand that the BC government drop its proposed deal with the Maximus corporation because of the privacy implications of the USA PATRIOT Act.

The Right to Privacy Campaign (RPC) believes that contracting out the administrative functions of BC's Medical Services Plan and PharmaCare to the American corporation Maximus Inc. will place British Columbians' confidential health and related information within easy reach of the FBI and, through the FBI, the entire array of American government agencies.

The primary goal of the RPC is to ensure that there is 'no contracting out by the Government of BC of information or information management, such as MSP or PharmaCare, to any company subject to foreign laws that violate the privacy rights of Canadians, like the USA PATRIOT Act'...."

Unfortunately, the website of the Right to Privacy Campaign seems to be down, which I expect would have much more info.

Presentation: PIPEDA for Physicians

I just attended Insight Information Co.'s Health Privacy conference in Halifax. The content was fantastic and the presenters were really top-notch. It was a bit disappointing that there were no healthpractitioners in attendance, but with a $1300 price tag it is hard to manage unless you have a hospital or other organization paying your way.

Without a doubt, I found that the best speaker was Karen Rose, who is the new Info and Privacy Commissioner for PEI. She spoke about the challenges and advantages of privacy compliance. I've asked her for her speaking notes, which I'll also ask her if I can post here. Suellen Murray, from the Nova Scotia Department of Health discussed the process that is underway to harmonize the health information laws from coast to coast (minus Quebec). She wasn't able to discuss the substance since there are some minor revisions underway, but the process is promising.

I was asked to present on PIPEDA in private practices. Since everyone in attendance came from public institutions (read: non-commercial, and therefore beyond PIPEDA's hooks), the interest was largely academic. I tried to emphasise that many of the doctors who are present in hospitals are going to be grappling with this development, so they'd better be sensitive to it. My presentation, PIPEDA for Physicians, is available here.

PIPED Act Case Summary #270: Bank agrees to modify automated message - May 4, 2004

A new finding from the Office of the Privacy Commissioner that strongly suggests that sensitive personal information should not be left on someone's answering machine:

Commissioner's Findings - PIPED Act Case Summary #270: Bank agrees to modify automated message - May 4, 2004 - Privacy Commissioner of Canada:

"An individual alleged that her bank improperly disclosed her personal information when it left an automated message on her answering machine stating that she was behind on making a payment on her credit card. She stated that she had not given her consent for the bank to leave a message that anyone in her family or a visitor could hear, and objected to this disclosure of her financial status in an unsecured and non-private forum."

The Assistant Commisioner found the complaint to have been resolved by the bank's undertaking not to leave such messages again.

The moral of the story is to not leave sensitive personal information on someone's voice-mail or answering machine without their OK. This will surely apply to physicians who may wish to leave a reminder about an upcoming appointment or a pharmacist leaving a message that the patient's Viagra prescription is ready to pick up.

PIPED Act Case Summary #269: Employer hires private investigator to conduct video surveillance on employee - April 23, 2004

Finally, a new batch of findings from the Privacy Commissioner of Canada. Of particular interest is finding #269, which considers an employer's use of video surveillance by a private investigator. I'll do a fuller analysis later, the "Further Considerations" at the end of the finding is instructive:

PIPED Act Case Summary #269: Employer hires private investigator to conduct video surveillance on employee - April 23, 2004:

"Further Considerations

Notwithstanding the findings, the Assistant Commissioner stressed that while she was satisfied that the company only resorted to video surveillance after having taken numerous measures to obtain the required information with the complainant's knowledge and consent, she recommended that the company formalize the steps it took by developing policy and practices that are privacy conscious.

Such a policy, she suggested, should take into account the following:

  • video surveillance is a last resort and should only be contemplated if all other avenues of collecting personal information have been exhausted;
  • the decision to undertake video surveillance should be made at a very senior level of the organization; and
  • the private investigator should be instructed to collect personal information in accordance with the Act, and should be especially mindful of Principle 4.4.

The Assistant Commissioner asked the company to report back to her within 120 days regarding this policy."

Wednesday, June 23, 2004

PIPEDA Awareness Raising Tools (PARTs) Initiative For The Health Sector

Those concerned with the application of PIPEDA to the healthcare sector likely know about Industry Canada and Health Canada's "PIPEDA Awareness Raising Tools". One of the more recent additions is, in my view, incorrect.

"47. Under PIPEDA, can regulatory bodies/colleges still continue to conduct their investigative practices? Does PIPEDA require any changes in the manner in which these investigative activities are conducted?

The relationship between a regulatory body/college and its members is most often of a noncommercial nature, and therefore not captured by PIPEDA. These bodies are also generally empowered by law to obtain personal information as necessary to fulfill their various functions. Professionals subject to the authority of a regulatory body/college would in all likelihood have agreed to the use of their personal information by the body, as part of a condition of membership. PIPEDA recognizes such authority.

Regulatory bodies/colleges may, in the course of their function, need to obtain personal information from other organizations that are subject to PIPEDA, such as financial institutions. Such organizations may only disclose personal information without consent to entities that have been designated as "investigative bodies" under PIPEDA, by regulation. As such, regulatory bodies/colleges may be required to obtain this designation if they wish to obtain personal information from these organizations without an individual's consent."

The "investigative body" designation is only useful for the circumstances set out in s. 7(d):

(d) made on the initiative of the organization to an investigative body, a government institution or a part of a government institution and the organization

(i) has reasonable grounds to believe that the information relates to a breach of an agreement or a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, or

(ii) suspects that the information relates to national security, the defence of Canada or the conduct of international affairs;

For this exception to apply, it has to be on the initiative of the organization (e.g. the physician), not the investigative body. You simply can't rely on it if the investigative body is the one requesting the information. Also, it only applies in the circumstances set out in (i) and (ii). The circumstances in (ii) would clearly be inapplicable and it is questionable whether the circumstances of (i) would come to pass in the course of an investigation by a College of Physicians and Surgeons. The better response is the application of sections 7(3)(c) and (i):

(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

(c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;

(i) required by law.

Many professional regulators have jurisdiction to subpoena or otherwise compel the production of information in the custody of a physician. These exceptions are clearly preferable to those in 7(d). Some professional regulators, like those for social workers in Nova Scotia, don't have the power to compel the production of documents and are therefore unable to get this information without consent.

Article: US Charges AOL Worker Sold Customer List for Spam

Most security folks will tell you that violations of privacy are often an inside job. Further evidence:

Yahoo! News - US Charges AOL Worker Sold Customer List for Spam:

"Jason Smathers of Harpers Ferry, West Virginia, has been charged with stealing a list of 92 million AOL customer screen names and selling them to Internet marketer Sean Dunaway of Las Vegas, said David Kelley, the U.S. attorney for the Southern District of New York in a statement. "

Editorial cartoon

Monday, June 21, 2004

Article: Sprint and Cingular DO NOT keep copies of your text messages

A little while ago, I wrote "Think before you text" about the use of archived SMS messages in the Kobe Bryant Trial. This (the story, not my blog entry!) has led to inquiries about the practices of cell phone service providers. Engadget has an article on Sprint and Cingular's services, which says they do not save copies of your messages. See Sprint and Cingular DO NOT keep copies of your text messages - Engadget - www.engadget.com

Sunday, June 20, 2004

Significant FCT case: Eastmond v. Canadian Pacific Railway

The Federal Court of Canada has recently released a significant decision related to video surveillance in the workplace (See: Eastmond v. CP Railway, 2004 FC 852). This decision is a very significant interpretation of PIPEDA as it addresses a number of questions: (i) whether PIPEDA protects unionized employees, (ii) whether a hearing at the Court is essentially a trial de novo, (iii) the meaning of "except where inappropriate" in Principle 3, (iv) the interpretation of the consent exception contained in section 9(1)(b) of PIPEDA, and (v) what factors are to be considered in determining whether video surveillance is reasonable.

The origin of this hearing was a complaint to the Commissioner, the finding for which is available on the Commissioner's website as Finding 114 (http://www.privcom.gc.ca/cf-dc/2003/cf-dc_030123_e.asp). In short, the respondent Canadian Pacific Railway installed digital video equipment in the Toronto Railyard. The stated purpose was to deter vandalism and theft and the cameras were recorded on a 96-hour loop. The feed from the cameras was not monitored, but would be used to investigate incidents after the fact. The railway also installed prominent notices that video surveillance was in effect.

In his finding, the Commissioner determined that the use of video surveillance at the Toronto yard was not reasonable and was therefore in violation of section 5(3) of PIPEDA:

(3) An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

The test for reasonableness adopted by the Commissioner was one established by labour arbitrators in addressing similar questions:

  • Is the measure demonstrably necessary to meet a specific need?
  • Is it likely to be effective in meeting that need?
  • Is the loss of privacy proportional to the benefit gained?
  • Is there a less privacy-invasive way of achieving the same end?

Justice Lemieux disagreed with the Commissioner's finding and agreed with the railway. In the course of his decision, Lemieux J. concluded that PIPEDA can apply and the Commissioner may investigate in a union shop. From the decision:

[108] Weber, and the City of Regina, cases, supra, teach if the essential character of the dispute between the parties arises either explicitly or implicitly from the interpretation, application, administration or violation of a collective agreement, the dispute, if the legislature expressed itself to that effect, is within the sole jurisdiction of an arbitrator.

[109] To determine the essential characteristic of the dispute, the decision-maker examines the nature of the dispute in the factual context in which it arose and the ambit of the collective agreement.

[110] I have no hesitation in finding the essential characteristic of the dispute between the application and CP is a complaint made by the applicant against CP alleging CP's violation of PIPEDA through its collection of personal information via surveillance cameras for which it did not have the applicant's consent.

[111] Clearly, the factual matrix behind the applicant's complaint to the Privacy Commissioner is the collection of personal information. The applicant specifically engaged PIPEDA in his complaint.

[112] It is true André Corriveau filed a grievance under the collective agreement and invoked articles 28 (which deal with grievances) and 43 (which deals with human rights) of the collective agreement as did Guy Lemire in step 2 of the grievance. They also invoked a violation of PIPEDA.

[113] CP denied the grievance on March 21, 2002, stating at applicant's record, page 40:

I must point out that there is nothing in the collective agreement 101 which deals explicitly with this issue of video surveillance, nor can I see how Rule 28 and 43 have been violated in this situation as suggested by yourself.

[114] I examined the scope of article 43 of the collective agreement. Under article 43, CP and the union agree there shall be no discrimination, interference, restriction or coercion permitted in the workplace with respect to race, national or ethnic origin, colour, religion, age, sex, marital status, family status, sexual orientation, disability or conviction for which a pardon has been granted. The next subsection states CP and CAW recognize that harassment or sexual harassment is unacceptable behaviour and will not be tolerated in the workplace. I see nothing in article 43 which deals with personal information and how it may be collected in the workplace. This was conceded by counsel for CP at the hearing.

[115] As a result, I find the dispute between CP and the applicant does not arise from the collective agreement and if an arbitrator had been appointed, that arbitrator would not have any jurisdiction.

[116] There is another point to be made. By enacting paragraph 13(2)(a) of PIPEDA Parliament intended to give the Privacy Commissioner the discretion to investigate a complaint or defer it if he considered it appropriate a complainant should exhaust a grievance.

[117] In my view, a respondent to a complaint must at the earliest opportunity raise this issue with the Privacy Commissioner if that respondent thinks another review procedure is available. A respondent is not entitled to raise alternative review after the Privacy Commissioner has issued his report. It is by then, too late to argue the matter of jurisdiction on the basis of the exclusive arbitration model.

Justice Lemieux concluded that a hearing before the Court is a trial de novo, though there may be some deference to the Commissioner's interpretation where it is within his/her competence:

[118] A proceeding under section 14 of PIPEDA is not a review of the Privacy Commissioner's report or his recommendation. It is a fresh application to this Court by a person who had made a complaint to the Privacy Commissioner under PIPEDA and who, in order to obtain a remedy under section 16, bears the burden of demonstrating CP violated its PIPEDA obligations.

[119] In Englander, supra, Justice Blais stated at paragraph 29 and 30:

¶ 29 The present hearing is therefore not an appeal of the Commissioner's report, nor is it an application for judicial review in an administrative legal sense.

¶ 30 Accordingly, I am required to exercise my own discretion de novo.

[120] I agree with Justice Blais. I also note the de novo nature of a review proceeding under the Access to Information Act and the Privacy Act is well recognized. See Dagg v. Canada (Minister of Finance), [1997] 2 S.C.R. 403, where LaForest J., dissenting, but not on this point, spoke about a de novo review.

[121] A question arose at this hearing whether the Privacy Commissioner's report was entitled to some deference. In Englander, supra, Justice Blais wrote the following at paragraph 33:

¶ 33 While it is true that he is granted no statutory authority to impose his conclusions or recommendations, I believe that as a statutorily created administrator with specialized expertise, the PCC is entitled to some deference with respect to decisions clearly within his jurisdiction.

[122] I accord the Privacy Commissioner some deference in the area of his expertise which would include appropriate recognition to the factors he took into account in balancing the privacy interests of the applicant and CP's legitimate interest in protecting its employees and property.

[123] However, I do not accord any deference on the Commissioner's findings of fact because I am satisfied the evidence before me is considerably different than that gathered by the Privacy Commissioner's investigation.

Lemieux J. considered the proper interpretation of the underlined portion of Principle 3, which deals with consent:

4.3 Principle 3 -- Consent

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

In short, this phrase is meaningless in light of the enumerated consent exceptions contained in section 7.

[186] As counsel for the applicant and counsel for the Privacy Commissioner argue, subsection 7(1) of the Act whose marginal note is "Collection without knowledge of consent" prescribes only four circumstances where that collection may take place without knowledge and consent. In other words, subsection 7(1) of the Act has given content to the words "except where inappropriate" found in section 4.3 of the Schedule. This is clear from the opening words of the subsection "[F]or the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause".

The Court did provide some comfort for CP, as Lemieux J. concluded that CP was able to take advantage of the exception contained in section 7(1)(b) because of the specific use of video surveillance by CP:

[188] There is no CP official looking at the monitor at the time the cameras are capturing a person's image. Rather, that person's image is recorded on videotape. The recording is never viewed unless there is a triggering event. The recording is wiped out after 96 hours with the result that person's image is never seen if there is no event.

[189] In this context, I accept CP's argument collection of the person's information takes place when CP officials view the recording to investigate an incident. Assuming the recording captured an individual committing an act of theft asking for his/her permission to collect the information would compromise the availability of the information for the purpose of investigation.

[190] This interpretation does not strain the purposes of the exemption in paragraph 7(1)(b). Clearly, the exemption would apply if a CP official had monitored and recorded live a person attempting to commit a crime. The same result should apply if monitoring is delayed as is the case here.

With respect to the "reasonableness" of CP's installation and use of video surveillance, Lemieux J.'s analysis was thorough:

[174] Applying the appropriate factors to all the evidence before me, I conclude a reasonable person would consider CP's purposes for collecting by recording the images of CP employees and others on video camera appropriate in the circumstances.

[175] I focus first on the cameras themselves and what personal information they collect and how the recordings are viewed. I find the system CP devised and implemented has several appropriate fences.

[176] The collection of personal information is not surreptitious - warning signs are displayed. The collection of personal information is not continuous - it is brief, capturing only a person's image when that person is within the footprint of the camera. The collection is not limited to CP employees - it captures the images of contractors, visitors, suppliers and trespassers. The collection is not to measure a CP employee's work performance and while it is true a camera may occasionally capture a CP employee at work outside the shops, CP could not use those images to measure that employee's productivity because such a use of the information would be a use for a purpose other than that which prompted its collection as a security measure. More importantly, the recorded images are kept under lock and key and the recordings are only accessed by responsible managers and CP police if there is an incident reported. If there are no incidents recorded which require investigations, the recordings are destroyed within an appropriate time frame.

[177] The evidence satisfies me CP has established a legitimate need to have the cameras installed where they were and to record those persons who would pass its fixed footprints. While the cross-examination of CP deponents established, in some cases, a lack of correlation between camera location and incidents and, in other cases, between cause of loss, I am satisfied, on the whole of the evidence, CP identified numerous past incidents which justify the need to have surveillance cameras in place.

[178] The applicant's emphasis on past events was misplaced in my view. The utility of these cameras is in the future deterring theft, vandalism; deterring trespassers and enhancing the security of its employees and others and the security of its goods which includes hazardous and toxic materials either on location or being transported. These cameras are also useful as a tool for investigation.

[179] Again, while the cross-examination of CP deponents showed, in some cases, the video cameras might not have caught one of the incidents mentioned in their affidavits, the evidence, as a whole, establishes on a balance of probabilities, the cameras are effective in meeting CP's needs. The evidence establishes, and the Privacy Commissioner so found, there had been no recorded incidents since they were put into place, a performance similar to that which CP had experienced itself in other locations such as Golden, B.C. As an aside, the Privacy Commissioner speculated in his report deterrence might be attributed to the warning signs but failed to appreciate warning signs and cameras go hand-in-hand - you cannot have one without the other.

[180] I find the loss of privacy was minimal. Indeed, if there were no recorded incidents, it means none of the images captured by the cameras were viewed. The Privacy Commissioner was of the view a person whose images might be recorded had a low expectation of privacy because the cameras were located to capture personal information in locations which were public places. I share his assessment. Generally, such a view accords with the thrust of the cases decided by the Supreme Court of Canada in section 8 Charter cases where an analysis of a reasonable expectation of privacy is weighed.

[181] On this point, it must be remembered the recordings are never viewed unless an incident requiring an investigation occurs. This factor, coupled with my findings of how and what the cameras capture, lead me to conclude the loss of privacy is proportional to the benefit gained from their collection.

[182] On the last factor, I am satisfied CP looked at alternatives and weighed them in the context of its operations at the Toronto Yard which, needless to say, are very extensive and are carried out over a very wide area. CP concluded, as I do, those alternatives such as fencing and the use of security guards, was not cost effective or would be disruptive of its operations. This factor, weighed with my finding about the low loss of privacy, satisfies me the last branch of the test put forward by the Privacy Commissioner is met.

This decision will provide some comfort to those who scratched their heads when the Commissioner's original finding releasedased. The Commissioner's definition of "reasonable" may differ from that of the Court, which always has the final say.

Article: New technology is tracking you in ways that may be a surprise

The Montreal Gazette has an article on the increase in the surveillance society in Canada. None of it will be surprising to those who follow these issues, but the article is a good introduction with comments by Privacy Commissioner Jennifer Stoddart and consultant Stephanie Perrin:

You're just a number: New technology is tracking you in ways that may be a surprise

"LYNN MOORE
The Gazette

Sunday, June 20, 2004

Most Montrealers first learned that late-model cars are equipped with 'black box' technology from media coverage of a recent trial.

Their surprise was likely tempered with satisfaction because the technology brought some justice to the tragic death of a university student. Black-box data showed that Eric Gauthier was driving along Ste. Catherine St. at 157 kilometres per hour just seconds before he struck and killed Yacine Zinet.

More surprising - and disturbing for some - is that the technology used to convict Gauthier is tame in terms of what is out there - to help us, it's said, but available for use against us."

Full text ... (Enjoy it while you can since the Canada.Com network expires its content relatively quickly.)

Friday, June 18, 2004

Privacy Law and Project Management

Yesterday, I gave a two and a half hour presentation (see: Privacy Law and Project Management) [link fixed] to the Nova Scotia Chapter of the Project Management Institute. The presentation began with an introduction to PIPEDA and led into a discussion of integration of privacy into project planning, drawing heavily from privacy impact assessment methodologies, especially the Canadian federal government's PIA guidelines and PIA policy. These days, no significant technology project should proceed without considering the potential privacy risk presented by the project.

Thursday, June 17, 2004

Oops ... Families private files left on a tram

Another serious privacy breach caused by employee negligence, this time from Australia:

Families private files left on a tram. 16/06/2004. ABC News Online:

"Families private files left on a tram

The Federal Government has apologised to 15 families whose private files were left by a Child Support Agency staffer on a tram.

Victorian Labor Senator Gavan Marshall has told Parliament the files contained personal details such as names and addresses and affected families were forced to change their tax file numbers and bank accounts at their own expense.

'Can the minister confirm that this serious breach has been referred to the privacy commissioner and whether the Government will compensate affected families for the costs and distress caused?' he said.

Families Minister Kay Patterson has told Parliament it was an unfortunate mistake, conceding some of the information still has not been located.

She says affected families were contacted and apologised to, but she will not commit to compensation.

'We need to move away from litigation and compensation,' she said.

Senator Marshall also told Parliament one of families was mistakenly sent another family's file more than a year ago, but the Minister would not confirm that."

Sunday, June 13, 2004

Article: A Closer Look at the Fine Print in Privacy Statements

An article from www.informit.com discusses the finer points of online privacy statements, paying particularly close attention to the statement for Windows Media Player. Worth a look:

A Closer Look at the Fine Print in Privacy Statements:

"Most major companies (Novell, IBM, Oracle, HP, Microsoft, and so on) have very similar privacy statements. Zubair Alexander takes a closer look at the fine print in these statements: what type of data or personal information may be collected from you, and who it's shared with. What's in the fine print may surprise you."

Friday, June 11, 2004

Indian outsourcers push to boost data security - Computerworld

Following a high-profile incident some time ago, Indian oursource service providers are looking to strenthen privacy and security protections in order to maintain their position in the international market. (I still say that Nova Scotia is the best and safest place to send your data. See the "Nova Scotia Business Case".)

Indian outsourcers push to boost data security - Computerworld:

"News Story by Narayanan Madhavan

JUNE 10, 2004 (REUTERS) - India's booming software and outsourcing sectors are trying to improve data protection to please increasingly security-conscious clients and to preempt protectionist laws, industry officials said today.

Officials at the National Association of Software and Service Companies (NASSCOM) told a news conference that they will work with customers, regulators and law enforcers to bolster 'trustworthy outsourcing' in India.

India, where English-speaking workers earn a fraction of what their Western counterparts make, exported $12.5 billion worth of software and services in the past year, up more than 30% from the previous year. But protectionist laws have surfaced in some U.S. states to prevent local governments from outsourcing back-office jobs to India, while candidates in the U.S. presidential election have also spoken of measures to check job losses. "

Full text here ...

Quebec Privacy Commissioner Lays Down Law on Public Video Cameras

From today's Montreal Gazette:

Montreal Gazette - canada.com network:

"Quebec's privacy watchdog issued public surveillance guidelines Wednesday after video cameras were installed on a drug-ridden street in Montreal.

The provincial access to information commission said public cameras should only be used as a last resort to prevent serious crime problems or for the protection of property.

Commission president Diane Boissinot said the cameras should only be used only at specific times for a specific period."

PIPEDA and Employees

I mentioned in an earlier post that employment law and specifically privacy of employee information is a growing part of my practice. One of the least understood portions of PIPEDA is how it applies to employee information. PIPEDA is a constitutionally peculiar bit of law, which is best reflected in how it applies to employee information. Privacy is generally seen as a matter of "civil rights", which is within the provincial jurisdiction under the Canadian Constitution Act. For the federal government to attempt to legislate in this area, they have characterized it as a matter of commerce and assert jurisdiction under the general trade and commerce power. (Whether this is tenable, I leave to the Quebec Court of appeal and the Supreme Court of Canada (see Quebec Expected to Challenge PIPEDA's Constitutionality".)

All matters of legitimacy aside, it is agreed that the traditional employer-employee relationship is not a part of general trade and commerce and is reserved to the exclusive jurisdiction of the provinces. The federal government does not have power to legislate or govern the employer-employee relationship except for federal works and undertakings and where there is a clearly interprovincial aspect. Therefore, PIPEDA does not apply to the employer-employee relationship for the provincially regulated private sector but does for employees of "federal works, undertakings or businesses". It likely applies where there is an asset-purchase of a businesses where the employee information is part of the transaction and this information crosses provincial or international boundaries.

So what is a "federal work, undertaking or business"? It is defined in Section 2 of PIPEDA, which definition is virtually identical to that found in the Canada Labour Code:

"federal work, undertaking or business" means any work, undertaking or business that is within the legislative authority of Parliament. It includes

(a) a work, undertaking or business that is operated or carried on for or in connection with navigation and shipping, whether inland or maritime, including the operation of ships and transportation by ship anywhere in Canada;

(b) a railway, canal, telegraph or other work or undertaking that connects a province with another province, or that extends beyond the limits of a province;

(c) a line of ships that connects a province with another province, or that extends beyond the limits of a province;

(d) a ferry between a province and another province or between a province and a country other than Canada;

(e) aerodromes, aircraft or a line of air transportation;

(f) a radio broadcasting station;

(g) a bank;

(h) a work that, although wholly situated within a province, is before or after its execution declared by Parliament to be for the general advantage of Canada or for the advantage of two or more provinces;

(i) a work, undertaking or business outside the exclusive legislative authority of the legislatures of the provinces; and

(j) a work, undertaking or business to which federal laws, within the meaning of section 2 of the Oceans Act, apply under section 20 of that Act and any regulations made under paragraph 26(1)(k) of that Act.

So, if you are federally regulated, PIPEDA applies to your employees. If you are not a federal work, undertaking or business, PIPEDA only applies to your employee information if you use it in a commercial way (sell it to a marketing company) or if you transfer it over provincial boundaries "for consideration." Hope this clears things up!

Article: Privacy laws confusing firms

The Calgary Sun is carrying a Canadian Press story about a speech given by the Privacy Commissioner in Edmonton:

The Calgary Sun: Privacy laws confusing firms:

"EDMONTON -- Many small businesses are still confused about, or completely ignorant of, a new federal privacy law that governs commercial activities, federal privacy commissioner Jennifer Stoddart said yesterday. Businesses have been required to follow specific rules for the collection, use and disclosure of information since Jan. 1.

Stoddart told the audience of more than 300 at a conference organized by the University of Alberta that the Personal Information Protection and Electronic Documents Act has caused great confusion.

'It is smaller organizations that feel overwhelmed by government bureaucracy,' Stoddart said. "

Thursday, June 10, 2004

Presentation: PIPEDA and Employers (Hewitt)

I was invited to give a presentation to a conference arranged by Hewitt Associates (a leading HR outsourcing services provider) on PIPEDA for HR professionals. The presentation is available here: PIPEDA and Employers (Hewitt)

Presentation: PIPEDA and Pharmacists

Last weekend, National Privacy Services was invited to give a presentation on PIPEDA to a group of independent pharamcists. The presentation is available here: PIPEDA and Pharmacists.

Blog: Thoughts from a Management Lawyer

I just received a very kind e-mail from Michael Fitzgibbon, who practices management-side labour law at Borden Ladner Gervais in Toronto. Michael is the author of a labour law blog, entitled Thoughts from a Management Lawyer. He has been finding that privacy matters are coming up more and more in his practice, just like employment law issues are suddenly front-and-centre in mine. I highly recommend taking a look at his blog.

Privacy and Employee References

The Globe and Mail newspaper has a column in which readers can send in their questions. This week's edition includes a question about checking references:

The Globe and Mail:

"Dear Susan,

Can a recruiter or potential employer contact a reference without your permission?

--MYOB

Dear MYOB,

Employers can and do, but they shouldn't. "I heard it through the grapevine" is still the anthem of talent scouts in certain sectors, recent privacy legislation notwithstanding. But asking for the straight dope without consent is risky. Not only does the practice breach ethical and legal boundaries about personal privacy, the information gleaned this way is hardly reliable. An opinion about an employee says more about the referee than the worker, according to reams of studies, and thus off-the-record telephone exchanges are becoming less common in reputable human resources circles. Without the employee's nod even something as basic as checking where a candidate is currently employed can jeopardize her career if her boss doesn't know she's looking around. So seeking the low-down behind an employee's back is bad form, possibly illegal and not exactly how you welcome a new recruit into the fold. The whole practice smells.

So what if it already happened? I'm no lawyer, but a cursory look at the federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), and the three provinces that have their own privacy legislation (Quebec, Alberta and British Columbia) shows that most explicitly discourage employers from disclosing information without the employee's okay. Alberta is one exception, allowing employers to collect personal information about public employees "from any party without specific consent," according to a human resources guide published on the provincial government's Freedom of Information and Privacy website and confirmed by one of the government's information officers.

But all it takes is one test case to make Canadian employers clam up forever, says Vic Catano, a psychology professor and recruitment expert at St. Mary's University. That's what happened in the United States, when a referee not authorized by a candidate gave a negative point of view that off-sided an applicant for a vacant position. The employee sued and was awarded damages, an event that cast a pall on the reference-giving world. Even if a candidate has given permission, information not germane to the job is off-limits. It's irrelevant if you curl with the candidate's father. Just the facts, ma'am. Except for checking biographical facts with the candidate's permission, when it comes to references the rule is don't ask, don't tell. "

Getting consent is always a good idea. PIPEDA only applies to employees in the federally regulated private sector (banks, airlines, etc.), but employees (potential and otherwise) are beginning to expect that employers will respect their privacy. I advise my clients to have the prospective employee sign a consent at the interview, giving permission to contact anyone who may have information that is relevant, not just their listed references. Of course, their sunday school teacher will say good things about them. The key is to get relevant information. The consent form also has to say that the individual gives consent for the disclosure of personal information from the person who is asked. Referees are well advised to insist on seeing such a consent.

Study: Patient privacy at risk in hospitals' hallways, lobbies, cafeterias

File this under "not very surprising" ...

A recent study, published in the journal Health Communication (and abstracted on the Purdue university website) discusses how patient privacy can be casually violated by conversations among health professionals in public spaces:

Patient privacy at risk in hospitals' hallways, lobbies, cafeterias:

"Patient privacy at risk in hospitals' hallways, lobbies, cafeterias

WEST LAFAYETTE, Ind. -- New health communication research shows that casual conversations in hospital hallways and waiting rooms poses a threat to the confidentiality of patients' medical information.

Research conducted at Purdue University by Maria Brann, assistant professor of communication studies at West Virginia University, and Marifran Mattson, associate professor of communication at Purdue, shows patient privacy is breached when hospital employees talk about patient cases in public areas, such as the cafeteria, or with people outside of work. The researchers' paper appears in the spring issue of the journal Health Communication."

Thanks to the Science Blog for this link.

Wednesday, June 09, 2004

Article: For Sale by Public Auction -- Juicy Laptop Secrets

Yet another story about personal and commercial information left on hard-drives sold at auction:

Yahoo! News - For Sale by Public Auction -- Juicy Laptop Secrets:

"... In all, the firm's technicians were able to pull sensitive details from 70 of the 100 machines it bought.

In one case, it obtained a particularly vulnerable hard drive from online auction site eBay that apparently once belonged to one of Europe's largest insurance companies.

On the hard drive were current details of customers' pension plans, payroll records, personnel details, login codes and administration passwords for the company's Intranet site. Home addresses, telephone numbers and dates of birth of customers were also listed in 77 Microsoft Excel files, the company said. ..."

Tuesday, June 08, 2004

Article: Think before you text

Years later, cell phone text messages can come back to haunt you. According to CNN.com, ancient text messages may be ordered to be produced as evidence in the Kobe Bryant trial (see below). These messages "tend to be saved on servers."

Canada's federal privacy law, PIPEDA, has applied to telecom companies since 2001. One of the principles of the law is that information can only be retained for as long as is reasonable for the purposes for which the information was collected:

4.5 Principle 5 -- Limiting Use, Disclosure, and Retention

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.

4.5.2

Organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made. An organization may be subject to legislative requirements with respect to retention periods.

4.5.3

Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.

It would seem that Canadian telcos should not be retaining these messages indefinitely. Of course, "should" and "do" are two entirely different matters... Beware what you text, it may come back in civil or criminal proceedings.

The CNN story on the Bryan trial is here:

CNN.com - Think before you text - Jun 7, 2004:

"DENVER, Colorado (AP) -- A few hours after NBA star Kobe Bryant had sex with a Vail-area hotel worker last summer, the woman exchanged cell phone text messages with a former boyfriend and someone else.

What's in those messages could help determine whether the sex was consensual or whether Bryant is guilty of rape as charged. The judge himself said the content may be 'highly relevant' to the case.

That the judge could order the woman's cell phone company to produce the messages so long after they were sent shouldn't surprise anyone, analysts say.

Texters beware. Like e-mail and Internet instant messages, text messages tend to be saved on servers.

'One of the false assumptions that people make is that when they hit the delete button, messages are gone forever, but nothing can be further from the truth,' said Jeff Kagan, an independent telecommunications analyst in Atlanta."

See also Slashdot discussion of the issue ...

The Daily Telegraph | This is an Act of total bastardry

The Australian Daily Telegraph has an interesting bit about one person's experience of Australian privacy legislation. Highly recommended (and entertaining) read:

The Daily Telegraph | This is an Act of total bastardry:

By DAVID PENBERTHY

June 9, 2004

JUST over a year ago while driving home along Parramatta Rd I had one of those car accidents that restores your faith in human nature. Or so it seemed.

While changing lanes I failed to check my blindspot and side-swiped another car in the inside lane, smashing its front bumper and headlight and doing a fair bit of damage to my right-hand side.

Given that I was the one who was changing lanes, the accident was my fault. The other bloke couldn't have been nicer, especially, as he explained, he'd just had a new front bumper fitted.

We exchanged names and numbers. I was insured, he wasn't, but given that I was in the wrong it was a simple matter of paying the excess and lumping it.

I processed the forms, but forgot to pay the excess. A couple of weeks later I received a call from my apparent friend which not only spurred me into lightning action, but made me reassess my initial appraisal of the once-genial knockabout with whom I had the pleasure of colliding.

The bloke rang me out of the blue, told me he knew where I lived, that I didn't know what sort of person he was, and that if I didn't pay up by the end of the week he'd get the money off me by other means.

I know when I'm being threatened and did the only manly thing. I panicked like a girl. I rang the insurance company, gave them my credit card details, had it all paid within 60 seconds, and asked if they could provide me with my frightening friend's mobile number so I could reassure him that everything was cool.

"Sorry sir, under the Privacy Act we can't give you that number," the woman said.

"But I gave you his number," I said reasonably. "He doesn't have insurance. The only reason you have his number is because I took it at the scene and gave it to you on the form. I want to call him now to sort this out but I don't have it on me."

"Yes, sir, but under the Privacy Act I can't give it to you."

"So how did you get his number?"

"That's not the point, sir."

Etcetera. After some journalistic theatrics – where I explained to the woman (with the mildest exaggeration) that I feared for my safety – the woman relented, albeit in a drawn-out New Price is Right-type charade where I guessed the first two numbers were 04, and then played higher and lower for the remaining eight digits.

I didn't win the car, or even the vacuum cleaner, but I came away with the feeling that the Privacy Act may be one of the daftest pieces of legislation going around.

..."

Full text here ...

Criminal Code Amended to allow for e-mail interception by sysadmin

By amendments to the Criminal Code of Canada, the authority of a sysadmin to review employee e-mail in the course of system management has been clarified. From the London Free Press:

London Free Press: Business Section - Law amended for e-mail:

"The Criminal Code of Canada makes it an indictable offence to "willfully" intercept a private communication. On April 22, Bill C-14 came into effect, which among other things amends the Criminal Code to protect computer system managers from the threat of criminal conviction. The bill amends the Criminal Code to add a section that allows computer system managers to intercept a private communication. Interception under this new provision is lawful only if it is "reasonably necessary" for managing the "quality of service" of the computer system.

Preventing and dealing with intrusion detection and malicious attempts to compromise systems is a crucial issue for any business.

The concern was that without such a change, the viewing or scanning of e-mails by a computer systems employee for such things as virus detection or spam-blocking might be considered an illegal interception of a private communication. Other legitimate purposes include the prevention of data theft or the use of systems by unauthorized individuals. One could argue that, depending to some extent on employer policies, e-mails to and from the workplace are not private communications. But this amendment clarifies the issue.

...

Under the changes, intrusion-detection activities must be limited to authorized individuals who perform duties relating to the security management and protection of computer systems.

Intrusion-detection activities must be limited to what is reasonably necessary for legitimate management purposes to ensure service quality and protect systems against computer-related offences.

The then-Privacy Commissioner took issue with one aspect of the bill.

The commissioner opposed permitting a private communication that had been intercepted lawfully to be disclosed in the course of a civil or criminal proceeding, or for the purposes of any criminal investigation.

That would have meant that a manager operating a computer intrusion-detection system who discovered an e-mail attachment containing child pornography, or evidence of a murder plot, could not notify the police or use the material to discipline the employee.

The commissioner's proposal was defeated. ..."

Ontario's Personal Health Information Protection Act receives royal assent

Ontario's Personal Health Information Protection Act (also known as Bill 31) received royal assent on May 30, 2004. The main parts of the statute come into force on January 1, 2005:

PART IX COMMENCEMENT AND SHORT TITLE

Commencement

95. (1) This section and sections 71, 72 and 96 come into force on the day the Health Information Protection Act, 2004 receives Royal Assent.

Same

(2) Sections 1 to 70 and 73 to 94 come into force on January 1, 2005.

Short title

96. The short title of the Act set out in this Schedule is the Personal Health Information Protection Act, 2004.

Addition: For information about Bill 31 (PHIPA) training, see http://www.privlaw.com/pages/training_courses.htm

Saturday, June 05, 2004

Article: Build privacy into products

Ann Cavoukian, Ontario's very active privacy commissioner, gave a speech recently highlighting the distinction between privacy and security. She also discussed who in an organization should assume the role of CPO. See the ITbusiness.ca article:

ITBusiness.ca: Build privacy into products:

"As North America witnesses the rise of chief privacy officers, one of the fastest growing designations, companies must decide who within an organization will be responsible for this job, Cavoukian said. Ideally, the function should rest with a 'customer-friendly' department like marketing or business development, she said.

Karbaliotis predicted chief privacy officers will grow in importance because these will be individuals 'willing to stand for the company and say 'We're doing this right.'

'Maybe it shouldn't be the security officer. Maybe it shouldn't be the chief technology officer.'

Instead the right candidate should understand technology, business processes, the legislative environment and be involved in business planning, he said.

The 9/11 crisis allowed an increasing degree of security to marginalize privacy, but now 'we need a new paradigm,' urged Cavoukian, and added security and privacy are necessary for freedom to prevail."

Wednesday, June 02, 2004

Article: The Impact of PIPEDA

Today's Globe Technology has a comment by Adam N. Atlas, a member of the bars of Quebec and New York. He discusses the cross-border aspects of PIPEDA and the article merits a read.

Globetechnology:

"The best kept secret in privacy law is what to do about cross-border information transfers. There has been a lot written about the new Canadian privacy law, entitled Personal Information Protection and Electronic Documents Act (PIPEDA), but few lawyers or other experts are willing to offer an opinion on the legality of international cross-border information transfers under PIPEDA.

To date there is little to be found within the published rulings of the Privacy Commissioner that can definitively answer the numerous questions that this issue poses. This is surprising given that nearly every business in Canada faces the privacy question almost on a daily basis. The following is a practical overview for any business that sends or receives any personal information from or to Canada across international borders. ..."

The one area that he doesn't really touch on is probably the most prevalent example of the impact of PIPEDA on cross-border data flows. That is American retailers doing business with Canadian customers. For example, Land's End and LL Bean both collect personal information in association with any sale to a Canadian. PIPEDA itself is silent about its impact on cross-border transactions, but the Commissioner's office has taken the view that PIPEDA applies. Usual Canadian principles of conflicts of laws would suggest that Canadian federal law can apply where there is a "real and substantial connection" with this jurisdiction. Since the law is designed to protect Canadian residents and the collection would be deemed to take place "in Canada", applying it to American retailers is consistent with that purpose. The company may be able to tell the Commissioner to buzz off when she calls the corporate offices in Ohio, but the Federal Court's order or award of damages may be enforceable outside of the country. If the company has assets in Canada, it has a much stronger interest in complying.

Tuesday, June 01, 2004

Federal Privacy Commissioner announces funding program for Privacy in Canada

Jennifer Stoddart has today (1 June 2004) announced a new initiative from the Office of the Privacy Commissioner to support the promotion of research and promotion of personal information protection. More details are available on the Commissioner's website:

Contributions Program Introduction:

"The Office of the Privacy Commissioner of Canada (OPC) has officially launched a $200,000 Contributions Program which will support research into, as well as the promotion of, the protection of personal information.

With this Program, we hope to encourage the development of a national privacy research capacity that will contribute to advances in knowledge and policy development in the areas of privacy and data protection. We also hope to support the development of expertise in selected areas of privacy and data protection, and to foster an understanding of the social value of privacy to address emerging issues and opportunities...."