Thursday, September 30, 2004

Column: Privacy Legislation Is Needed, Even If It Hurts

Instead of complaining about the inconvenience of forms, privacy staements and the like, as many columnist have done, Wayne Rash has written a column about the benefits of mandatory privacy. In this column, he recounts his "encounters" with changed brought about due to privacy laws and finds comfort in them:

Wayne Rash: Privacy Legislation Is Needed, Even If It Hurts:

"...What was happening was that the companies I dealt with have made security of my information mandatory, whether I liked it or not. They're doing this because they're required to by a federal law referred to by its acronym HIPAA. The financial community has a similar requirement named after the sponsors of that relevant law, called Sarbanes-Oxley. The bipartisan team knew that protecting the information vital to investors would take more than vague statements in annual reports, and as a result mandated a series of steps that among other things ensured the security of financial data.

Again, the law was requiring companies to take steps in security that they otherwise wouldn't take. The reason, of course, is that financial officers tend to look on security as a cost center and as a result are reluctant to provide necessary funding, explaining why corporate security efforts have been so difficult to put into place. The fact that federal law requires such steps eliminates that problem in areas where it applies.

The fact that the laws result in yet more paperwork for me, or in the requirement to queue up five feet away from the pharmacy counter are minor inconveniences to me, but in reality they are a small part in a much larger plan. I can't overhear the conversations of others. My doctor or my broker can't send information to third parties without my consent. And companies have to safeguard my data.

Most of those steps would never have been taken without laws requiring them. Worse, most people would have viewed security in the same manner as the Blackberry user I sat next to. She could have tilted her screen so I couldn't see, but she obviously didn't think about it. People in general think about security very little. Problem is, some of those who think about it very little really should be thinking about it a lot, but they're not...."

In my view, Wayne Rash is a kind of spokesperson for the many quiet consumers who may not be standing on streetcorners applauding, but are silently appreciative of the efforts that companies are being forced to undertake to protect consumer privacy. And, companies should note, consumers like Wayne Rash vote with their wallets.

Article: CRTC puts new rules on hold

The Toronto Star has an article in today's edition about the CRTC suspension of the changes to the Canadian telemarketing regulations:

TheStar.com - CRTC puts new rules on hold:

"Strict rules imposed on telemarketers in May have been put on hold pending the outcome of a regulatory review.

The Canadian Radio-television and Telecommunications Commission has decided to reconsider its new rules in response to a complaint filed in August by the Canadian Marketing Association.

The association, with 800 members that include major financial institutions, telephone operators and media companies, argued that the high cost of complying with the regulations will put many smaller phone marketers out of business and result in job loss across an industry that employs 270,000...."

USA Patriot Act "national security letters" provision is thrown out by Court

The ACLU has been successful in challenging the portion of the USA Patriot Act that allows the FBI to compel the production of records without court authorization. Parry Aftab has a number of good blog entries about it, including her analysis of the decision. Take a look at Patriot Act Provision is thrown out by Court - effective date is delayed 60 days to allow government time to appeal, The Decision in ACLU v. Ashcroft, and Overview of the Section 2709 Patriot Act decision. While you're there, bookmark her excellent blog.

Wednesday, September 29, 2004

Canadian government proposes regulations to require disclosure of employee data without consent for policing employment insurance program

Human Resources and Skills Development Canada has proposed amendments to the Employment Insurance Regulations to ensure that HRSDC has access to employee payroll information to detect fraud and abuse of the Employment Insurance Program. The National Post has a large front page story on this, saying that the fraud detection program has been on hold for nine months because of fears of transgressing federal and provincial privacy laws. I would have suggested that this information collection without consent was already allowed under PIPEDA, the Alberta Personal Information Protection Act and BC's Personal Information Protection Act. Better to be safe than sorry ...

Canada Gazette:

"REGULATORY IMPACT ANALYSIS STATEMENT

Description

The purpose of the proposed amendment to the Employment Insurance Regulations is to ensure that earnings verification programs conducted by Human Resources and Skills Development Canada (HRSDC), formerly Human Resources Development Canada, in cooperation with employers, satisfy the requirements of federal and provincial legislation pertaining to the disclosure of personal information.

As of January 1, 2004, subsection 7(3) of the federal Personal Information Protection and Electronic Documents Act (PIPEDA), applies to employers who fall under federal jurisdiction (i.e. airlines, banks, interprovincial transportation, radio and television broadcasting or telecommunications industries). Under the Act, these employers may not disclose personal information about an employee to HRSDC without the employee's consent unless HRSDC can demonstrate that it has the lawful authority to obtain this information. In addition, Quebec, British Columbia and Alberta have enacted privacy protection legislation requiring HRSDC to have lawful authority before it can obtain employee information from private sector employers in those provinces without employee consent. Similar legislation is being developed in other provinces.

With the implementation of the above-mentioned privacy legislation, regulatory clarification is required to ensure the ongoing functions of two verification programs administered by the Employment Insurance (EI) program: the Automated Earnings Reporting System (AERS) and the Report on Hirings (ROH) Program. These voluntary programs involve the comparison of EI claim files with current employee information provided to HRSDC by employers. HRSDC's lawful authority to obtain this information needs to be made explicit as a result of PIPEDA implementation. The AERS and ROH programs are currently under suspension (since January 1, 2004) and will be reinstated once the Regulations comes into effect.

Both the AERS and the ROH programs were developed in the late 1970s following recommendations made by stakeholders representing employers and employees. The level of participation has been considerable among employers because these programs are cost-effective and they help to alleviate the significant paper burden of requests for payroll information employers would otherwise receive.

Employees working for participants of AERS and the ROH benefit because the overpayment of EI benefits is minimized keeping financial hardship for the claimant to a minimum if repayments are required. This also means that subsequent administrative penalties or prosecutions are less likely because HRSDC is aware of the problem at the outset. As well, deterrence is achieved by encouraging participating employers to advise their employees that they participate in the AERS or ROH program. HRSDC provides employers with posters and inserts for use in informing employees that they share payroll and hiring information with HRSDC.

The proposed Regulations safeguards the privacy of Canadian workers and at the same time, it reduces the potential for making EI payments to claimants who are not lawfully entitled to receive them. The only information available to HRSDC that is collected from the verification programs, is information matching employees subject to an overpayment.

AERS and ROH are early intervention measures and serve as major deterrents to fraud and abuse of the EI program. HRSDC considers the use of regular and ongoing verification programs as crucial control mechanisms that assist HRSDC in meeting its obligations with respect to sound management practices and its fiduciary responsibility under the Employment Insurance Act.

To support the continuation of these voluntary verification programs, it is proposed that section 55.1 of the Employment Insurance Regulations be added to make explicit that HRSDC has the lawful authority to obtain employee information on a continuing basis. The information to be collected will include information in respect of the date of commencement of employment, duration of employment, amounts earned and reasons for separation from employment. It will apply to employers who (a) hired or recalled ten or more employees in a twelve-month period or expect to do so in the upcoming twelve months or (b) were required to issue ten or more records of employment in a twelve-month period or expect to do so in the upcoming twelve months.

...

Consultation

This proposed regulatory amendment was prepared by Human Resources and Skills Development Canada's Employment Program Policy and Design in consultation with Insurance Program Services, Investigation and Control, Legal Services and Privacy and Access to Information. External consultations have taken place with Industry Canada which is responsible for PIPEDA and the Department of Justice which agreed to the intent of the Regulations and drafted the wording. The Office of the Privacy Commissioner was also consulted during the developmental stages. The Employment Insurance Commission (including the Commissioners for Workers and the Employers) approved the Regulations in principle on November 14, 2003.

Compliance and enforcement

Existing compliance mechanisms contained in HRSDC's adjudication and control procedures will ensure that these changes are properly implemented. ..."

New findings released by Federal Privacy Commissioner

The Privacy Commissioner has released four new findings under the Personal Information Protection and Electronic Documents Act.

Commissioner's Findings - Privacy Commissioner of Canada

Article: U.S. Patriot Act Raises Canadian Privacy Fears

Reuters is carrying a story on its wire service about the effect of the USA Patriot Act on the privacy of Canadians. Yahoo! News - U.S. Patriot Act Raises Canadian Privacy Fears

CRTC suspends application of new Canadian telemarketing rules

The CRTC has temporarily suspended the application of their recent changes to the Canadian telemarketing rules. The full text of the decision is here and the "blurb" is below:

Telecom Decision CRTC 2004-63

Telemarketing

Telecom Decision:

2004-63 The Commission approves, with one exception, the Canadian Marketing Association's (CMA's) application to stay Review of telemarketing rules, Telecom Decision CRTC 2004-35, 21 May 2004, pending the disposition of the CMA's application to review and vary that Decision. The stay applies to all requirements set out in Decision 2004-35 except the requirement that telecommunications service providers track and report complaint statistics; this requirement becomes effective 1 January 2005. Reference: 8662-C131-200408543. [.pdf]

Readers interested in Canadian telemarketing law and the regulation of it by the CRTC in particular are encouraged to check out Mathew Englander's site devoted to the topic at http://www.mathew-englander.ca/canada-telemarketing-law.htm

Nova Scotia government introduces legislation to monitor drug prescribing

The government of Nova Scotia has introduced a bill in the legislature that would allow the Prescription Drug Monitoring Board to have full access to medical records of Nova Scotians and to report suspected illegal prescribing to law enforcement.

Board may soon be able to report suspected abuse of prescription drugs

By AMY SMITH / Provincial Reporter Twelve years after its creation, Nova Scotia's prescription monitoring board could soon have the legal authority to report suspected drug abuse.

"Very often a physician is not aware another physician or two other physicians are writing prescriptions for the same product for that individual," board chairman Patrick King said Tuesday. "The program will now have the teeth to be able to deal with these individuals to the appropriate law enforcement...."

The Minister of Health's press release is available at http://www.gov.ns.ca/news/details.asp?id=20040928002

From Bill 107:

Prescription Monitoring Act:

"18 Upon the request of the Administrator, prescribers, pharmacists or any other body or person shall provide to the Administrator any information, including medical records, the Administrator requires to achieve the objects of the Program.

19 Information received by

(a) the Administrator;

(b) any person employed by the Administrator pursuant to this Act; or

(c) the Board,

shall only be used in accordance with this Act and the regulations and not for any other purpose.

20 Notwithstanding the Freedom of Information and Protection of Privacy Act, the Administrator may release

(a) information with respect to monitored drugs; and

(b) personal information with respect to a resident who has a prescription for monitored drugs,

to a prescriber, a pharmacist, a licensing authority or other body or person to achieve the objects of the Program.

21 Information communicated to the Administrator or the Board by persons employed in the administration of the Health Services and Insurance Act is deemed to be information communicated pursuant to clause 34(a) of the Health Services and Insurance Act.

22 (1) Any data provided to the Minister, the Governor in Council or the public with respect to the Program pursuant to this Act shall be non-nominal data.

(2) Notwithstanding subsection (1), a resident may have access to the resident's own personal information with respect to the Program.

23 (1) Where the Administrator has reasonable grounds to believe that an offence has been committed contrary to the Controlled Drugs and Substances Act (Canada) or the Criminal Code (Canada) or successor legislation, information in the possession of the Administrator in respect of such offence may be communicated to the appropriate law enforcement authority by the Administrator or such person as may be designated by the Administrator.

(2) The Administrator may, at any time, file a complaint with a licensing authority regarding the activities of a member of that licensing authority if the Administrator has reason to believe that the member may be practising in a manner that is inconsistent with the objects of the Program.

(3) Where the Administrator lays a complaint pursuant to subsection (2), the Administrator shall provide the licensing authority with all relevant information on which the complaint is based."

So far, there hasn't been much comment on the privacy aspects of the proposed law.

Tuesday, September 28, 2004

US Congressional Hearing on ID Theft and Social Security Numbers

Sabrina I. Pacifici's excellent blog, beSpacific is referring to some interesting reading about US social security numbers and ID theft:

beSpacific: Hearing on ID Theft Addresses Protection of Social Security Numbers

Hearing on ID Theft Addresses Protection of Social Security Numbers

Prepared Statement of the Federal Trade Commission on Identity Theft and Social Security Numbers, Before the Subcommittee on Commerce, Trade, and Consumer Protection of the House Committee on Energy and Commerce, September 28, 2004.

  • Accompanying FTC press release

  • See also the Fair Credit Reporting Act and previous postings here and here on security issues associated with public and private use of social security data.
  • Not again: Medical records found on street

    SANS PrivacyBits is pointing to a recent article about medical records found in the streets of San Diego:

    "USA: Medical Records Found on Street (22 September 2004)

    The medical records of about three to five patients at San Diego's Kaiser Hospital were found in the street outside of the hospital. According to a hospital representative, the papers fell out of a recycling bin that was being picked up by the Edco Recycling company. Kaiser is reviewing its contract with Edco and working to prevent any future incidents.

    http://www.nbcsandiego.com/news/3752160/detail.html

    [Editor's Note (Hofman): A good reason to have secure shredding bins, with locks that are taken off when the contents are processed.

    (Murray): Information leaks; get used to it. This kind of leakage is not nearly so serious a problem as the routine use of medical records by service providers, insurers, and government. ]"

    Medical privacy law said to be chilling cancer studies / Scientists fight for fast access to patient files

    The San Francisco Chronicle is carrying an article on the impact of HIPAA on health registries, such as the California Cancer Registry:

    Medical privacy law said to be chilling cancer studies / Scientists fight for fast access to patient files:

    "...Since April 14, 2003, however, a new federal law designed to protect the privacy of medical records has made it harder, if not impossible, for medical researchers in the United States to troll through patient charts, whether they are trying to unravel the riddle of cancer or studying complications in childbirth.

    Citing the privacy rule, at least 17 Bay Area hospitals have imposed restrictions on the state Cancer Registry's accustomed rapid access to patient records.

    'The door kind of slammed in our face,' said Dr. Dee West, chief scientific officer for the Northern California Cancer Center, which collects data in the Bay Area for the state registry.... "

    Under Ontario's new Personal Health Information Protection Act, personal health information may be disclosed without consent for research purposes if approved by a Research Ethics Board and if the researcher enters into an agreement with the custodian in the form presecribed by the Act.

    43. (1) A health information custodian may disclose personal health information about an individual to a researcher if the researcher,

    (a) submits to the custodian,

    (i) an application in writing,

    (ii) a research plan that meets the requirements of subsection (2), and

    (iii) a copy of the decision of a research ethics board that approves the research plan; and

    (b) enters into the agreement required by subsection (5).

    Research plan

    (2) A research plan must be in writing and must set out,

    (a) the affiliation of each person involved in the research;

    (b) the nature and objectives of the research and the public or scientific benefit of the research that the researcher anticipates; and

    (c) all other prescribed matters related to the research.

    Consideration by board

    (3) When deciding whether to approve a research plan that a researcher submits to it, a research ethics board shall consider the matters that it considers relevant, including,

    (a) whether the objectives of the research can reasonably be accomplished without using the personal health information that is to be disclosed;

    (b) whether, at the time the research is conducted, adequate safeguards will be in place to protect the privacy of the individuals whose personal health information is being disclosed and to preserve the confidentiality of the information;

    (c) the public interest in conducting the research and the public interest in protecting the privacy of the individuals whose personal health information is being disclosed; and

    (d) whether obtaining the consent of the individuals whose personal health information is being disclosed would be impractical.

    Decision of board

    (4) After reviewing a research plan that a researcher has submitted to it, the research ethics board shall provide to the researcher a decision in writing, with reasons, setting out whether the board approves the plan, and whether the approval is subject to any conditions, which must be specified in the decision.

    Agreement respecting disclosure

    (5) Before a health information custodian discloses personal health information to a researcher under subsection (1), the researcher shall enter into an agreement with the custodian in which the researcher agrees to comply with the conditions and restrictions, if any, that the custodian imposes relating to the use, security, disclosure, return or disposal of the information....

    Thanks to PrivacySpot and Topix.Net for the pointers to the Chronicle article.

    Monday, September 27, 2004

    EU Dialogue with Citizens: Data protection

    The European Union has produced a number of "citizen guides", including one related to privacy and data protection: "EUROPA | Dialogue with Citizens | General EU-wide guides: Data protection". Thanks to PrivacySpot.com for the lead.

    How to Tell If Your Employer Has You Under Surveillance.

    On a lighter note, here are the signs that your employer has you under surveillance, brought to you by McSweeney's Internet Tendency:

    McSweeney's Internet Tendency: How to Tell If Your Employer Has You Under Surveillance.:

    "A maintenance worker climbs a ladder in your cube, evidently to check a light fixture or heat duct. After he climbs back down, he calls someone on his cell phone and says, 'Roll 'em!'"

    Many more tell-tale signs at McSweeney's....

    Sunday, September 26, 2004

    Breaking the Social Security Number habit

    About a week ago I blogged about the use of social security numbers as student IDs at US Universities (see Article: Half of US universities use SSN as student identifier, leaving students vulnerable to ID theft). From Penn State Live, it is reported that Penn State University is in the process of kicking the SSN habit by moving over to a new student ID numbering system:

    Faculty and staff preparation key to successful for SSN changeover:

    "These days, the importance of safeguarding personal data is a hot topic of conversation not only at Penn State, but also at many other institutions including the federal government. In July, the House Committee on Ways and Means approved the Social Security Number Privacy and Identity Theft Prevention Act, a bill designed to put further restrictions on the use and display of Social Security numbers (SSNs) in an effort to better protect identities. Although this bill is not yet law, it signifies that the prevention of identity theft has become a national concern.

    Recognizing that concern, Penn State is just three months away from adopting a new Penn State ID number (PSU ID) in place of SSNs as the primary identifier of students, faculty and staff. 'We're looking to protect private information from unintentional exposure and intentional identity theft,' said David Lindstrom, chief privacy officer at the University. 'The less we use, display and make available private information, the better we control the risk.'

    Since SSNs are a potential target for would-be identity thieves, Penn State recently created a new University policy to protect the privacy and confidentiality of an individual's SSN. Policy AD19, which will govern the future use of SSNs, takes effect Jan. 1, 2005, when the new PSU ID is adopted. It has been published now to give University offices time to comply with its provisions...."

    Incident: Hacker taps into CSUH Server

    Here is the latest privacy breach to have occurred at California universities:

    Hacker taps into CSUH server :

    "Records of 2,000 students potentially affected, school says
    By Ricci Graham, STAFF WRITER

    HAYWARD -- A computer hacker somehow gained access to the records of about 2,000 Cal State Hayward students earlier this month, prompting campus officials to send out letters warning students that their personal information may have been compromised.

    Kim Huggett, director of public affairs at Cal State Hayward, said on Wednesday that officials have not determined how the hacker was able to 'briefly gain unauthorized access' to student records through one of the campus servers. ..."

    This is just the most recent of a number of incidents reported in the last little while. (See Incident: Identity theft alert for CSU students and staff and Incident: Computer System at U.C. San Diego Hacked.) I'm not sure if this means that practices are more lax in California or whether they just report on these incidents more often.

    Saturday, September 25, 2004

    SINs not needed to get a credit rating check

    Today's Toronto Star has an article about social insurance numbers and credit reports: "TheStar.com - SINs not needed to get a credit rating check". It is a followup to a previous article about a promotion to get your credit report online, free. The service required the customer to enter their SIN and includes some discussion about privacy and SINs.

    Anybody who is interested in the use of social insurance numbers and Canadian privacy law may also want to read the following articles that touch on the topic:

    The Office of the Privacy Commissioner also has a brand new "fact sheet" on the social insurance numbers: "Best Practices for the Use of Social Insurance Numbers in the Private Sector."

    Wednesday, September 22, 2004

    Biometrics coming soon to an airport near you

    From Washington Technology:

    Canada-DHS pilot program to use iris scanning:

    "The Canada Border Service Agency, which is working on a Registered Traveler-style pilot program with the U.S. Homeland Security Department, is implementing iris-scanning technology at Canadian airports to verify the identity of travelers.

    The program, called Nexus Air, will begin in November at Vancouver International Airport, Vancouver, British Columbia, before rollout at other Canadian airports for a yearlong trial. ...

    Nexus Air builds on Canada’s Canpass Air program, which has 4,000 members and also uses iris scanning. As in the U.S. Transportation Security Administration’s Registered Travel pilot program, frequent fliers enroll in Canpass Air -- and soon Nexus Air -- by volunteering personal information and submitting to an iris scan. In return, they can then enjoy expedited check-in and customs screening. "

    BC Privacy Commissioner delays PATRIOT ACT report a second time

    The Information and Privacy Commissioner of BC says his report on the impact of the USA PATRIOT ACT on the privacy of British Columbians will be delayed a second time:

    Privacy commissioner delays again report into impact of Patriot Act on B.C.:

    "'The sheer volume of the submissions and the complexity of the issues have forced a second extension of the report's release date,' said Mary Carlson, director of policy and compliance for the Office of the Information and Privacy Commission.

    The commission received more than 500 submissions from individuals, governments, other privacy commissioners, businesses, unions, technology associations, non-profit associations, civil liberties groups, health care bodies and seniors' organizations."

    Case of first impression: Ontario court considers "commercial activity" and application of PIPEDA to non-profits

    This decision is hot off the presses: http://www.canlii.org/on/cas/onsc/2004/2004onsc12118.html.

    For privacy lawyers, this is the very first time that the term "commercial activity" has been considered in the context of the Personal Information Protection and Electronic Documents Act. This question is of critical importance because the law only applies to the collection use and disclosure of personal information in the course of commercial activites (or if it is informaiton about an employee of an organization that the organization collects, uses or discloses in the course of the operation of a federal work, undertaking or business).

    In this case, a non-profit hunting association was resisting the disclosure of its members list as it was otherwise required to do under the Corporations Act (Ontario). The Court concluded that the organization was not engaged in commercial activities, so PIPEDA does not interfere with the disclosure. (For some unknown reason, there seemed to be some question whether the organization was a "federal work, undertaking or business"!?)

    As an aside, I think it's interesting that we are seeing more cases come out of the courts than out of the Office of the Privacy Commissioner. I gather that they are significantly overworked with too few staff and other resources.

    REASONS FOR JUDGMENT

    MacKENZIE J.

    The Nature of the Proceeding

    [1] The applicants, Graydon Rodgers, (Rodgers) and the Peel Trap Club (an unincorporated entity, being an activity group of the respondent The Peel County Game and Fish Protective Association), bring a motion in the context of an application commenced by Notice of Application dated June 24, 2003.

    [2] Briefly stated, the applicants seek: declaratory relief under various heads for alleged breach of fiduciary duty; injunctive relief restraining The Peel County Game and Fish Protective Association (the Association) from expelling Rodgers or any other member of the Peel Trap Club (the Trap section) as a member of the Association and from disbursing of more than 43% of the proceeds of sale of the Association's real property; in the alternative, that the Association be wound up and that 50% of the proceeds of winding-up to be paid in trust to the Trap section.

    [3] The applicants move now for an order compelling the Association to provide a list of the members of the Association to Rodgers. The Association previously refused to provide such list to Rodgers.

    [4] The basis for the refusal by the Association to provide such list is that Rodgers' request fails to meet the requirements of s.306 or 307 of the Corporations Act (Ontario) (the Act) but even if those requirements are met, the Personal Information Protection and Electronic Documents Act (PIPEDA) operates to "trump" or override the provisions of the Act in that regard.

    Issues on the Motion

    (1) Whether Rodgers is entitled to an order for production of the membership list of the Association pursuant to s.307 of the Act;

    (2) Whether PIPEDA applies to Rodgers' request for the Association's membership list to override s. 307 of the Act.

    Analysis

    [5] In 1948, the Association was incorporated as a non-share corporation pursuant to the Act. Its letters patent stipulate as its primary purpose the promotion and maintenance of safe recreational shooting for its members. The record establishes that: the Association does not carry on any active business; has no employees, relying on members volunteering to discharge administrative tasks; and, in accordance with its charter, does not carry on its activities for purposes of gain for the members.

    [6] The Association currently comprises five activity groups, the two material groups being the Trap section and the Handgun section. Rodgers is a member of the Trap section and the respondents, Calvert, Stigge and Modeland, are members of the Handgun section.

    [7] For some time, Rodgers has been concerned about the individual respondents acting in breach of their duties as officers and directors of the Association by preferring the interests of the Handgun section to which they belong over the interests of the Association as a whole. This concern arises over the sale of the Association's lands and premises and the proposed use of the proceeds of that sale to acquire other lands and premises. Rodgers' concern is that the individual respondents will take into account only the interests of the Handguns section in deciding what will be the appropriate replacement lands and premises to the exclusion of the interests of the other sections of the Association, including the Trap section.

    [8] To this end, Rodgers made an informal request of the officers of the Association for the Association's membership list at a Board of Directors' meeting on March 12, 2002. Subsequently on or about September 10, 2002, he made a formal request for the membership list by filing the sworn affidavit prescribed by s.307(2) of the Act.

    [9] By memorandum dated September 18, 2002 by the respondent Calvert to the directors of the Association, the directors were advised that they were obliged to supply Rodgers with the list of members of the Association on the basis of legal advice obtained from the Association's counsel. By an undated memorandum (received sometime in October 2002) addressed to Rodgers, the respondent Calvert, on behalf of the Board of Directors, informed the applicant that the Board was "unable to comply with your request at this time as certain parts of [PIPEDA] came into effect January 1, 2001 and January 1, 2002 and this Act appears to deal directly with requests such as that made above [for the membership list] and we need a legal clarification".

    [10] On October 10, 2003, counsel for Rodgers wrote to counsel for the Association making a further request pursuant to s.307 of the Act for the membership list.

    [11] On October 14, 2003, counsel for the Association responded to Rodgers' counsel, denying the request for the membership list and stating that the Association "a gun club, is an undertaking that is outside the exclusive legislative authority of the Province of Ontario and accordingly it is governed by the requirements of PIPEDA and the release of any membership information cannot be made without the consent of the individual members."

    [12] I turn now to the first issue, whether the applicant is entitled to an order for production of the Association's membership list pursuant to s.307 of the Act.

    [13] Section 307 of the Corporation's Act (the Act) provides as follows:

    307(1) Any person, upon payment of a reasonable charge therefor and upon filing with the Corporation or its agent the affidavit referred to in ss.(2), may require a corporation, other than a private company, or its transfer agent, to furnish within ten days from the filing of such affidavit, a list setting out the names alphabetically arranged of all persons who are shareholders or members of the corporation, the number of shares owned by each such person and the address of each such person as shown on the books of the corporation made up to a date not more than ten days prior to the date of filing the affidavit.

    ...

    Ss.2 sets out the form of the affidavit, the material paragraphs being:

    (2) I require the list of shareholders (or members) only for purposes connected with the above-named corporation.

    (3) The list of shareholders (or members) and the information contained therein will be used only for purposes connected with the above-named corporation.]

    ...

    (4) Every person who uses a list of shareholders or members of a corporation contained under this section,

    (a) for the purpose of delivering or sending to all or any of such shareholders or members advertising or other printed matter relating to shares of securities other than the shares or securities of the corporation; or

    (b) for any purpose not connected with the corporation,

    is guilty of an offence and on conviction is liable to a fine of not more than $1,000.00.

    (5) [This subsection creates an offence where directors or officers of the corporation fail to furnish the list in accordance with ss.1.]

    (6) Purposes connected with the corporation include any effort to influence the voting of shareholders or members at any meeting of the corporation, any offer to acquire shares in the corporation or any effort to effect an amalgamation or reorganization or any other purpose approved by the minister.

    [14] Rodger's position is that he has complied with the requirements of s.307(2), has paid a fee for the membership list in question and is seeking the membership list in order that he may communicate with other members of the Association respecting his concerns about the management of the Association, with particular reference to the proposed sale of the Association's property.

    [15] In response, the Association contends that there is no evidence that Rodgers intends to use the membership list for purposes connected with the Association, as required under s.307(6). As well, the Association submits that it would be open to Rodgers or any other person to present a blatantly false affidavit in support of a request for the membership list; accordingly, the Association contends that it has an obligation with respect to the safety and privacy rights of its members. In this situation, the directors in discharging their fiduciary obligations to the members would be obliged to conduct due diligence in investigating any request for a list of members, including cross-examination of an applicant on any affidavit under s.307(2) filed in support of that request.

    [16] Counsel for the respondents refers to s.332 of the Act, which, it contends, gives the court discretion to make orders deemed fit to give a remedy to a member of a corporation who is aggrieved by the failure of the corporation or its directors and officers to perform any duty imposed on the corporation and/or its directors and officers. In this case, the applicant submits that the court in the exercise of its discretion could make an order that would permit the applicant to have communication with the members and at the same time protecting their privacy.

    [17] I reject the submissions of the respondents and accept the submissions on behalf of Rodgers on the right to production of the membership list of the Association.

    [18] The contention that the applicant is not using or will not be using the membership list for "purposes connected with the corporation" i.e. Association is not tenable. It is undisputed that the Board of Directors of the Association have signed a relocation agreement with the City of Brampton that requires the sale of the Association's real property. There is no question that the relocation of the Association will entail decisions as to the suitability of the proposed replacement lands and premises for the Association's activities. As noted, Rodgers has concerns about the proposed replacement lands and premises and wishes to communicate those concerns to other members of the Association.

    [19] Counsel for the Association submits that the words "or any other purpose approved by the minister" are words of limitation. The contention is that the concerns expressed by Rodgers are not within the stipulated purposes of s. 307(b) nor are they the subject of "any other purpose approved by the minister."

    [20] I reject this submission. The proposition that the description of "purposes connected with the corporation" in ss.(6) of s.307 is exhaustive runs counter to the principle of democracy inherent in shareholders' rights. Corporate governance by the directors is subject to review and audit by the shareholders, pursuant to corporate enabling legislation. To give subsection (6) the restrictive interpretation sought by the Association would diminish shareholders' abilities to communicate concerns about corporate governance to each other and thereby detract from their rights of audit and review of directors' acts and conduct in properly constituted meetings of shareholders.

    [21] For these reasons, I interpret the word "include" in subsection (6) to be illustrative rather than exclusive in effect. If the legislator had intended the examples of "purposes connected with the corporation" to be exclusive, the word "means" instead of "include" would have been apt.

    [22] Accordingly, I find that Rodgers' purpose in seeking the membership list is a purpose connected with the corporation.

    [23] I also reject the submission of the Association that its directors were required in the proper discharge of their fiduciary obligations, to conduct due diligence investigations of Rodgers' request including cross-examination of any affidavit filed in support of the request.

    [24] In these circumstances there is no basis on which the Association can reasonably claim the affidavit filed by Rodgers under s.307(2) is false and required investigation by the Association. The record is incontrovertible that on several occasions, both formally and informally, Rodgers made it known to the officers and/or the Board of Directors that he wished the membership list.

    [25] As noted above, on the 18th of September 2002 Calvert sent a memorandum to the Board of Directors wherein, among other things, he noted that Rodgers "has submitted a duly signed affidavit" and that the Association's counsel had advised the Board that it must comply with the request. There may indeed be situations in which a corporation's transfer agent might have valid concerns as to the truth of the prescribed form of affidavit filed in support of obtaining a membership list; this is not one of them. I similarly reject the contention that giving the applicant that the membership list of the Association would violate the privacy of its members. This concern is addressed by the provisions of s. 307(4) of the Act. In this regard, the Act restricts the purposes for which the membership can be used and makes it an offence to use the list for any restricted objective.

    [26] In the result, I find Rodgers is entitled to production of the membership list of the Association in accordance with the provisions of s. 307. However, his right to production of the list engages the issue as to whether PIPEDA operates to disentitle Rodgers to his rights under s. 307 of the Act.

    [27] PIPEDA was given royal assent on April 13, 2001, being implemented in three phrases over a three-year period that began on January 1, 2001.

    [28] Section 4(1) of PIPEDA provides as follows:

    4(1) This part applied to every organization in respect of personal information that

    (a) the organization collects, uses or discloses in the course of commercial activities; or

    (b) is about an employee of the organization and that the organization collects or uses or discloses in connection with the operation of a federal work undertaken or business.

    [29] The three stages of PIPEDA'S implementation are:

    1. Stage One: January 1, 2001

    PIPEDA applied only to an organization in respect of personal information, other than "personal health information", that (a) the organization collects or uses or discloses in connection with the operation of a federal work, undertaking or business, or (b) it discloses outside the province for a consideration;


    Stage Two: January 1, 2002

    PIPEDA applied to organizations covered in stage one in respect of personal health information that they collect, use or disclose;

    2. Stage Three: January 1, 2004

    PIPEDA applied to all organizations in Canada that collect, disclose or use personal information in the course of commercial activities, subject to exemptions granted or Provinces that have by that date enacted their own privacy legislation. It is not in dispute that Ontario has not enacted its own privacy legislation as of the 1st of January, 2004.

    [30] It may be seen from the foregoing timelines that the relevant time for considering the application of the Act herein was stage two, i.e. the application of the Act on or after January 1, 2002. In the circumstances, s. 4(1)(a) of PIPEDA is the operative section inasmuch that there is no question that the members of the Association are not "employee[s] of the organization" as described in sub (b) of s. 4(1).

    [31] It should be noted that there is no issue between the parties that the names and addresses of members of the Association constitutes "personal information" within the definition of s. 2(1) of PIPEDA; the Association is an "organization" as defined in the interpretation section; and the Association is a "federal work, undertaking, or a business" as defined in the interpretation section of PIPEDA.

    [32] I take issue with the joint submission that the Association is within the definition of a federal work undertaking or business. In the PIPEDA interpretation section 2(1), the pertinent part reads as follows:

    2(1) The definitions in this subsection apply in this Part

    ...

    "Federal work, undertaking or business means any work, undertaking or business that is within the legislative authority of Parliament. It includes

    ...

    (i) a work, undertaking or business outside the exclusive legislative authority of the legislatures of the Provinces

    ...

    [33] The Association was incorporated under the laws of Ontario and its activities are conducted solely within the Province of Ontario. The legislative jurisdiction of the Province respecting the Act is founded upon s. 92(13) (property and civil rights) and matters of a local or private nature within the Province (s. 92(16), both of the Constitution Act, 1867).

    [34] The position of the respondents is that having regard to the recreational shooting activities (the Handgun section and the Trap section, among other sections) of the Association, the Firearms Act and Regulations enacted by the Federal Parliament under its criminal law power pursuant to s. 91 of the Constitution Act 1867 take the Association's activities or "undertaking" outside the exclusive legislative authority of the Provinces.

    [35] In order to determine whether the Association is a federal work or undertaking within the meaning of PIPEDA, an examination of the nature of the Association's activities and undertaking is required. It is a given that the mere fact the Association has been incorporated in the Province of Ontario and conducts its activities and undertaking within the Province of Ontario is not determinative of whether it is a federal work or undertaking within the meaning of PIPEDA.

    [36] The examination of the Association's activities and undertaking indicates that it is not outside the exclusive legislative authority of the Province of Ontario nor is it a work or undertaking expressly enumerated in s.91 of the Constitution Act. The question then becomes whether the pith and substance of the activity and undertaking is a matter of property and civil rights and of purely local concern. If this question is answered in the affirmative, it does not come under the exercise of s.91 of the Constitution Act 1867 to enact criminal law, i.e. the Firearms Act, simply because the recreational shooting aspects of the Association's activity and undertaking is impacted by the Firearm's Act.

    [37] In Barry's Ltd. v. Fisherman, Food and Allied Workers Union [1993] N.J. No. 34 (NFLD. C.A.), (leave to appeal to S.C.C. dismissed), one of the issues was whether the business operated by the appellant was subject to federal legislation and regulations, specifically, the Fish Inspection Act. The issue before the Court was whether the appellant's business of fishing came within the definition of a federal undertaking under the Canada Labour Code. In this regard, the case is pertinent because the definition of federal work or undertaking in the Canada Labour Code is similar in substance to the same definition contained in PIPEDA: "a work, undertaking or business outside the exclusive legislative authority of the legislation of the Province".

    [38] In the course of its reasons, the court observed that the Federal Parliament had authority to legislate with respect to the regulation of trade and commerce and there was no doubt that the Federal Parliament had authority to enact the Fish Inspection Act. However, the court further observed that such authority did not make a company engaged in trade and commerce and bound by some federal enactment in relation thereto a federal work or undertaking.

    [39] The court gives an example of this principle in noting that s.7 of the Federal Food and Drugs Act provides that no person shall manufacture, prepare, preserve, package or store for sale any food under unsanitary conditions. The court concludes that this provision does not constitute every corner grocery store a federal work or undertaking within the meaning of the Canada Labour Code.

    [40] I find this reasoning to be apt in the present circumstances. The fact that the Criminal Code of Canada applies to every aspect of personal, institutional or corporate activity in Canada does not thereby constitute in law those activities as federal works or undertakings.

    [41] Despite my finding that the Association is not a federal work or undertaking contrary to the joint submission of the parties, I turn to the question of whether the personal information that the Association collects, uses or discloses was done in the course of commercial activities.

    [42] Rodgers submits that the court is entitled to give significant weight to the interpretation of PIPEDA by the office of the Privacy Commissioner of Canada, being the administrative agency under PIPEDA: see Nowegegijick v. R. [1983], 1 S.C.R 29 at p.37. Counsel cites various dicta from the website of the Privacy Commissioner. The pertinent parts of such dicta are as follows:

    Whether or not an organization operates on a non-profit basis is not conclusive in determining the application of [PIPEDA]. The term non-profit or not-for-profit is a technical term that is not found in PIPEDA. The bottom line is that non-profit status does not automatically exempt an organization from the application of [PIPEDA].

    Most non-profits are not subject to [PIPEDA] because they do not engage in commercial activities. This is typically the case with most charities, minor hockey associations, clubs, community groups and advocacy organizations. Collecting membership fees, organizing club activities, compiling a list of members' names and addresses and mailing out newsletters are not considered commercial activities. Similarly, fundraising is not a commercial activity. However, some clubs, for example, many golf clubs and athletic clubs, may be engaged in commercial activities which are subject to [PIPEDA].

    As the definition of commercial activity makes clear, selling, bartering or leasing a membership list or list of donors would be considered a commercial activity.

    [43] It is not in issue that the Association, at the time of the applicant's request for the membership list, was not selling, bartering or leasing its membership list or list of donors. The record establishes the following facts about the Association, its activities and undertaking.

    (1) Its charter objects are "to promote and maintain safe recreational shooting and to promote and maintain sportsmanship, fellowship and conservation."

    (2) It is carried on without the object of gain for the members;

    (3) There is no profit margin in the membership fees nor is there an objective to make a profit but rather to meet expenses.

    (4) It has no employees, volunteers perform necessary services with the exception of the recording secretary (minutes of meetings) the monthly bookkeeping service and ground maintenance personnel, who receive a small honorarium.

    (5) The general public does not have access to the Association's facilities in the ordinary course; when there are competitions, non-members must pay entrance fees.

    [44] The question remains whether the activities and undertaking are commercial activities within the meaning of PIPEDA.

    [45] Section 2(1) defines commercial activity as:

    Any transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering of donor membership or fundraising lists.

    [46] As noted above, there is no evidence to support a finding that the Association was "selling, bartering or leasing its 'donor, membership or other fundraising lists'." The question then becomes whether producing a membership list under s.307 of the Act, is of a commercial character so as to come within the s. 2(1) definition of commercial activity.

    [47] Rodgers submits that in interpreting the words "commercial activity" in the statutory definition, the court should apply the preponderant purpose test, set out in Ontario (R.A.C.) v. Caisse Populaire de Hearst Ltee., [1983] 1 S.C.R. 57. The test simply stated is that if, upon analysis, the preponderant purpose of the activity is the making of a profit, then the activity may be classified as a business. However, if there is another preponderant purpose to which any profit earned is merely incidental, then it will not be classified as a business.

    [48] The respondents contend, however, that since the primary purpose of PIPEDA is to protect personal information, the term "commercial activity" should be interpreted primarily as it relates to "the collection, use or disclosure" of personal information rather than as it relates to the Association engaged in the "collection, use or disclosure". Counsel submits that if the collection of personal information in a membership list arises in a transaction that is of a non-commercial character, but the use or disclosure of that personal information is in a transaction or act that is of a commercial character then the personal information is entitled to the protection of PIPEDA. Counsel further submits that if the collection of the personal information arose in a transaction that is of a commercial character, then that personal information is entitled to the protection of PIPEDA regardless of whether disclosure itself was in the course of commercial activity. In sum, the Association submits that the collection of personal information in making up the membership lists was in the context of a "commercial activity".

    [49] Counsel argues as follows:

    (1) The personal information that the applicant seeks to obtain from the Association's list of members was collected by the Association in the course of the membership transaction.

    (2) The membership transaction involves the member submitting among other information his or her name, address and phone number, together with the prescribed membership fee.

    (3) In return, the member is entitled to receive the services and benefits that members of the Association enjoy.

    (4) That exchange of consideration is a transaction that is clearly commercial in character.

    [50] I deal first with the preponderant purpose submissions. I am persuaded that the question of whether any organization is a business for purposes of taxation under the Assessment Act is not determinative or applicable to the interpretation of the term "commercial activity" under PIPEDA, having regard to the different objectives of the two statutes. However, I am not persuaded that the interpretation submitted by the Association as to the breadth of the words commercial activity as defined in PIPEDA is apt.

    [51] The "exchange of consideration" involved in supplying personal information and a prescribed membership fee in exchange for the services and benefits of membership in the Association may constitute consideration under the law of contract. However, consideration in contract does not in itself lead to the finding of commercial activity in the PIPEDA context. In my view, there must be something more than a mere "exchange of consideration", as described by counsel, to be within the definition of "commercial activity".

    [52] Counsel for the Association has in his written submissions referred to a dictionary definition of the words "commerce" and "commercial", in aid of interpreting the meaning of the phrase "commercial activity".

    [53] In that dictionary, the word "commerce" is defined as:

    exchange between men of the products of nature and art; buying and selling together; exchange of merchandise

    ...

    The word "commercial" is defined as:

    engaged in commerce; trading; of or relating to commerce or trade.

    (See Shorter Oxford English Dictionary page 349 - Appendix B.)

    [54] The same words are defined in the Oxford English Reference Dictionary, Oxford University Press, Second Edition, 1996, as follows:

    "commerce": financial transactions, especially the buying and selling of merchandise, on a large scale;

    "commercial": of, engaged in or concerned with commerce; having profit as a primary aim rather than artistic, etc. value.

    (See page 290).

    The difficulty in dictionary definitions can be readily seen by the absence of the word or notion of profit or gain in the source quoted by counsel for the Association and the presence of the notion of profit or gain in the definition found in the Oxford Reference Dictionary.

    [55] Although the dictionary definitions assist somewhat in interpreting the term "commercial activity" in s. 2(1) of PIPEDA, I rely more heavily on the interpretation from the Privacy Commissioner's website noted above wherein it is stated that "collecting membership fees, organizing club activities, compiling a list of members' names and addresses and mailing out newsletters are not considered commercial activities."

    [56] On the record before me, it is not feasible to set out criteria or facts as to what constitutes a commercial activity for a not-for-profit organization. I am nonetheless persuaded there is nothing in the record that indicates that the activities of the Association at large and the production of the membership list in particular in this case would be considered a commercial activity for purposes of PIPEDA. In light of these findings I do not find it necessary to address to address the contention of the Association that the words "required by law" in s.7(3)(i) of PIPEDA do not apply to s.307 of the Corporation's Act but only to case law. In similar fashion I find it unnecessary to give effect to concerns expressed on behalf of the Association that if the list of members were to get into "the wrong hands" it could result in dangerous consequences since the members own firearms and ammunition. The applicant in receiving the membership list for the Association is governed by the provisions restricting the use to which the membership list can be put and will be subject to the sanctions contained in the Act for any non-compliance with those restrictions.

    Disposition

    [57] An order shall go directing the Association through its proper officers to produce and deliver forthwith to the applicant a list of the members of the Association in accordance with the provisions of s.307 of the Act.


    Costs

    [58] The motion raises a novel point of law. Both parties through their counsel have attempted to address the issues and have done so in a thorough manner. In the circumstances, I am of the view that each party should bear his/their own costs.

    ___________________________

    MacKENZIE J.

    Released: September 8, 2004

    Tuesday, September 21, 2004

    Health privacy law will lead to offshoring of clinical research

    In an earlier blog entry, I referred to a press release that claimed the HIPAA privacy rule will hinder clinical research. Now, UPI is carrying a story that says this will lead to the "offshoring" of clinical trials:

    Health privacy law hinders research - (United Press International):

    "... Dr. Roberta Ness, of the University of Pittsburgh's Graduate School of Public Health, told the American College of Epidemiology conference in Boston this week unless the law is significantly changed many clinical studies could be moved off-shore and out of reach of U.S. regulations..."

    Thanks to SANS PrivacyBits for the link.

    Saskatchewan opposition wades into the health privacy debate

    Further to a few recent items referred to in this blog (see here and here), the Saskatchewan opposition is asking that amendments to the Health Information Act be discussed by a legislative committee:

    Committee should deal with privacy act: Opposition

    The opposition Saskatchewan Party wants concerns involving proposed regulations for the Health Information Protection Act discussed by a legislative committee.

    Health critic Rod Gantefoer says it's important the committee deal with them first.

    Privacy commissioner Gary Dickson says the province's health department needs to be more careful about how it handles patients' health information.

    Dickson has released a 20-page report critiquing the province's proposed regulations for the Health Information Protection Act.

    The Information and Privacy Commissioner's report is available here.

    Saskatchewan labour group objects to proposed changes to province's Health Information Protection Act

    The Saskatchewan Federation of Labour is objecting to the proposed changes to the Saskatchewan Health Information Protection Act that would allow hospitals to use patient information for fundraising without consent. (See my blog entry Saskatchewan proposal to use patient information for fundraising lists.)

    Saskatoon StarPhoenix - canada.com network:

    "A warning to the provincial Health Department from the privacy commissioner.

    Gary Dickson says if an organization wants to use somebody's personal information for a different purpose than for which it was given, it should go back to the individual for consent.

    Dickson says allowing regional health authorities that operate hospitals to share with their fundraising organizations the names and addresses of patients without getting their consent would be a serious breach of privacy.

    He has released a 20-page report critiquing the provincial government's proposed regulations for the Health Information Protection Act."

    For those in Ontario, you may be interested in the "case study" included the the Information and Privacy Commissioner's new "Guide to the Health Information Protection Act":

    Example 5: Can personal health information be used for fundraising activities?

    A charitable foundation for a children’s hospital has been asked to raise money to support a large research project on a specific childhood genetic disorder. To make the campaign for funds as effective as possible, the foundation has decided to solicit funds only from families affected by this particular disorder. The foundation has asked the hospital for the contact information of the parents of children who have been identified as having this genetic disorder. Is the hospital permitted under the Act to provide this information to the foundation?


    Is the parents’ contact information considered to be personal health information?

    Under the Act, personal health information includes identifying information about an individual if the information relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family. Thus, parental contact information combined with information about a child’s genetic disorder would be considered to be the personal health information of both the child and the parent.


    Is the hospital permitted to provide personal health information to the foundation for fundraising purposes?

    Since the hospital foundation is fundraising on behalf of the hospital, the foundation is considered to be an agent of the custodian and the provision of personal health information to an agent of the custodian is considered to be a use by the custodian rather than a disclosure to the agent. Under the Act, custodians may use personal health information for the purpose of fundraising activities only where the individual expressly consents or the consent of the individual can be implied, from the circumstances, and the information consists only of the individual’s name and contact information (as specified in the regulations). In this scenario, consent for the use of the information for fundraising may be implied, but only if the information that will be used is limited to individuals’ contact information.


    Is the information that will be used limited to individuals’ contact information?

    Since the fact that one of more of the individual’s children has a specific genetic disorder will be used to compile a list for the purpose of targeted fundraising, the information that will be used is not limited to contact information. Accordingly, the conditions for implying consent to use the information for fundraising purposes in this scenario have not been met. The custodian would have to seek express consent for this type of targeted fundraising activity.

    Monday, September 20, 2004

    Privacy Site of the Day: PrivacySpot.com

    My attempt at posting a daily privacy link has been somewhat irregular, but I hope that what I lack in regularity, I make up for in quality.

    Today's Privacy Site of the Day is the blog PrivacySpot.com, which is subtitled "nothing but privacy". And it lives up to its billing. I've been a regular reader for some time and it has been a great resource. The site is very innovative: Rather than being the effort of a single practitioner, it is written by a team of privacy lawyers from the Texas firm of Hughes & Luce. The firm name is not prominent on the blog, which is a little surprising since the site would be a great promotional vehicle for their privacy practice group. But they aren't too shy about trumpeting their success: PrivacySpot.com has been named one of the top fifty blawgs by Electronic Data Discovery Information Exchange.

    Bloglines users can subscribe to this blog by clicking here: Subscribe with Bloglines

    Resource: A Guide to the Health Information Protection Act (Ontario)

    The Information and Privacy Commisioner's office in Ontario has released a very useful guide to the Personal Health Information Protection Act (also known as PHIPA, HIPA or Bill 31). The fourty-four page guide is meant to provide "health information custodians" with a good undertanding of their obligations under this new law (that comes into force on November 1, 2004).

    IPC - A Guide to the Health Information Protection Act:

    "The Personal Health Information Protection Act sets out rules for the collection, use and disclosure of personal health information. These rules will apply to all health information custodians operating within the province of Ontario and to individuals and organizations that receive personal health information from health information custodians. The rules recognize the unique character of personal health information - as one of the most sensitive types of personal information that is frequently shared for a variety of purposes, including care and treatment, health research, and managing our publicly funded health care system."

    It is available as an HTML document for viewing onscreen or as a nicely-formatted PDF file.

    Sunday, September 19, 2004

    US Senate votes for privacy study on agencies' data-mining use

    The United States Senate passed an amended version of the 2005 Department of Homeland Security spending bill that included a requirement that all federal agences that use data mining techniques report on the privacy impact of this activity. The version of the bill passed by the House of Representatives in June of this year did not contain such a requirement: See www.GovExec.com - Senate votes for privacy study on agencies' data-mining use (9/16/04).

    Friday, September 17, 2004

    Column: Leave social networks at home

    Linda Musthaler's column in NetworkWorldFusion discusses the privacy aspects of social network software such as friendster, plaxo and the like:
    Leave social networks at home:

    "Attention friends and acquaintances: Please stop sending me invitations to join your electronic social networks. I know Plaxo, Friendster, Tickle and other networking tools help you remember my address and phone number, but I'd prefer you hand-write them in your little black book. At least the data will belong to you alone and won't be shared with the world.

    It seems not a week passes that I don't get an invitation to join one of these social networks. So, being the skeptic that I am, I did a bit of research about them. What I found scared the heck out of me, and it's enough to give a corporate privacy officer heart palpitations. ..."

    Thursday, September 16, 2004

    Privacy law prompts recording of calls

    This may strike some as more than a little ironic, but the Star Ledger of New Jersey reports that health privacy laws in the United States have prompted an increase in the recording of calls. The article, "Privacy law prompts recording of calls" says that hospitals and others are routinely monitoring calls to make sure that representatives are following proper procedure and not disclosing sensitive health informtion until the identity of the caller is clearly established. Oh, and to have a record in case the patient sues later ...

    Commentary on privacy and the USA Patriot Act

    The Shrewsbury Chronicle contains a brief and interesting commentary on how some of the more intrusive aspects of the USA Patriot Act are affecting ordinary citizens, beginning with the requirement that all users of postal boxes provide the government with two pieces of photo ID.

    Saskatchewan proposal to use patient information for fundraising lists

    From today's Globe & Mail Health column:

    Looking for a loophole:

    "Saskatchewan's health department is considering amendments to provincial privacy regulations that would allow hospitals to use patient records to build mailing lists for fundraising campaigns.

    Under the current Health Information Protection Act, patients must give their consent before hospitals can send them requests for donations. Duane Mombourquette, director of strategic planning and information policy with Saskatchewan Health, said one option now under consideration would allow hospitals to assume patients don't mind being asked for money.

    If patients don't enjoy being contacted, Mr. Mombourquette said, they would be allowed to contact the hospital and take their name off the mailing list.

    Gary Dickson, Saskatchewan's Information and Privacy Commissioner, plans to give the provincial legislature his opinion about the proposal in a few weeks."

    Is circumventing "disclsoure" a distinction without a difference?

    This article relates to the lawsuit that has been brought against Albertsons pharmacies (see Lawsuit: Privacy advocacy group sues drug store chain over alleged privacy concerns). The lawsuit alleges that Albertsons used pharmacy customers' personal information to send marketing communications. According to counsel for the plaintiffs, the way in which the communications were sent is irrelevant:

    Albertsons Sued Over Customer-Data Privacy:

    "'The specific California code provision that we're dealing with prohibits the pharmacy from selling, sharing, or otherwise using any medical information for any purpose,' Krinsk explains. 'The critical distinction that they make, that we believe is of no consequence, is they say that they don't sell the information. They claim that the process that they employ doesn't constitute selling or using of information. Rather than selling the names and addresses they instead either handle [the data] internally or handle some of it internally and then contract out to third-party administrators. We allege that's a distinction without a difference.' "

    For us in Canada, this is not just an interesting read. The same sorts of practices take place all the time here in an effort to circumvent the "disclosure only with consent" requirements of PIPEDA. Many associations used to sell lists to third-parties for marketing purposes but are no longer able to do because they don't have the consent of the members to sell the list to the other organization. To get around this, the organization that wants to market to the members simply pays for the association to send the solicitation on their behaf. Presto, no disclosure. The prevailing opinion is that this fits within the letter of PIPEDA, but is it consistent with the spirit? Is it a distinction without a difference? The distinction is probably lost on members if they receive a mail solicitation apparently from the organization with which they have no pre-existing relationship, unless it really appears to come from the association. As of yet, we have no word from the Canadian Privacy Commissioner or the Federal Court about how this will be viewed.

    Privacy Site of the Day: HIPAA Blog

    Today's "Privacy Site of the Day" is the HIPAA Blog, a blog that contains regularly updated links to HIPAA resources, HIPAA stories and the like. While I don't practice American law, current information on HIPAA is useful and instructive for advising Canadian clients in the healthcare arena. Many of the questions that have arisen in the wake of the HIPAA Privacy Rule are going to come up in Ontario with the implementation of the Personal Health Information Protection Act. For bloglines users, you can add the HIPAA Blog feed by clicking here: Subscribe with Bloglines

    Wednesday, September 15, 2004

    Privacy Law and Workplace Investigations: Workshop

    I spent the day today with Paul Bradley, VP of PricewaterhouseCoopers, giving a workshop for Insight Information on conducting workplace investigations in the new era of privacy regulation. Anyone who is interested can get a copy of my powerpoint presentation here: Privacy Law and Workplace Investigations: Workshop

    HIPAA does not create a private right of action for release of quality of care information

    As reported from the Employment Benefits Institute of America, the US District Court in Denver has held that HIPAA does not allow a hospital to sue a media outlet to prevent the publication of quality of care information:

    EBIA - HIPAA ==> Hospital Cannot Sue Newspaper Under HIPAA for Privacy Violations:

    "The publisher of a newspaper obtained (from an unknown source) a report that was prepared as part of a hospital's peer review process. The hospital sued to stop the newspaper from publishing information from the report, arguing that use of the report by the newspaper would violate the HIPAA privacy rules. After losing in its bid to stop publication of the report, the hospital then sought money damages, attorneys' fees, and return of the report under HIPAA and state laws. The court held that HIPAA does not create a private right of action and sent the case to state court to resolve the state law claims...."

    The full citation of the case is University of Colorado Hospital Authority v. Denver Publishing Co., No. 03-WM-1977 (D. Colo. Aug. 2, 2004)

    Thanks, Toronto CED Learning Network

    Thanks to the Toronto Learning Network, which has named this blog as "Site of the Week":

    The Toronto CED Learning Network:

    "PIPEDA and Canadian Privacy Law

    Maintained by a Canadian privacy lawyer, this web site provides updates and new information about developments in privacy law. "

    Tuesday, September 14, 2004

    Japanese companies taking privacy seriously and taking out insurance to cover losses

    The Asahi Shimbun website has a very interesting story from Japan about the reaction of Japanese businesses to highly-publicised leaks of personal information. While some of these practices may seem to go overboard, they really are prudent since a large number of Japanese customers don't appear to be shy about complaining about mishandling of personal information. If you don't need it, don't collect it in the first place. If you no longer need it, destroy it. I haven't heard about specific privacy insurance in Canada yet, but it may not be too far off ...

    PLUGGING THE HOLES: Data patrol

    Companies are scrambling to protect themselves against potentially disastrous information leaks.

    `A leak of data even on dozens of customers would bring an unrecoverable blow to us.'

    EXECUTIVE, Food company in Tokyo

    Every morning, an executive of a Tokyo food maker heads to the paper shredder and destroys documents. The measure, he says, is essential in protecting the company.

    He is not hiding evidence from investigators. His action is part of efforts spreading nationwide to prevent data leaks that could lead to financial disaster.

    The shredded documents at the food company are delivery order slips that contain customers' names, addresses and phone numbers.

    The company decided to destroy all personal information, except e-mail addresses, as soon as a product's delivery is confirmed. Keeping a large amount of personal data ``means an increased risk,'' the executive says.

    ``Unlike a major company with physical strength, credibility is all that smaller firms like ours can count on,'' said the executive of the food maker, with a work force of several dozen employees. ``A leak of data even on dozens of customers would bring an unrecoverable blow to us.''

    Prior to the full implementation of the personal information protection law next April, businesses are stepping up efforts to prevent information leaks.

    Workers are educated on the importance of data protection. And many companies are now seeking ``data leak insurance'' to cover potential damages from lawsuits.

    The law, which already regulates administrative entities, will be extended to cover private businesses with personal data on 5,000 or more people. Violators face a maximum six-month prison term or a fine of up to 300,000 yen.

    But the real risks, as the Tokyo food maker fears, is a loss of credibility-and potentially huge compensation payments.

    Businesses have a reason to be concerned. Videotape and CD rental chains, for example, have membership information on thousands of customers.

    According to the Japan Network Security Association, compensation for a data leak varies from 1,000 yen to 1.5 million yen per customer, depending upon what information was leaked and how the company dealt with its aftermath.

    Based on past court decisions, the association estimates a leak of an e-mail address could cost a company 4,000 yen. But the compensation amount soars to 300,000 yen per person if the name, address and legal domicile are leaked.

    If all the 1.55 million victims in 57 leakage cases reported last year had sued, the total compensation could have reached 28 billion yen, according to the association.

    The Compact Discs & Video Rental Trade Association of Japan is preparing guidelines for its 1,100 members on how to handle personal data.

    Member stores often use a driver's license to confirm the identity of a customer. But the license also carries the holder's permanent and current addresses.

    ``If data are leaked and 100 customers file complaints, the business would be thrown into confusion,'' said an association official.

    The association advises its members to black out the permanent domicile on the license's photocopy. But ``many shops count on part-time workers so teaching them is a major challenge,'' said the official.

    Concerns over repercussions from data leaks have provided a business opportunity for non-life insurers, which have come out this year with new products to cover damages from information leaks.

    ``The responses are extraordinary,'' said an official of Mitsui Sumitomo Insurance Co., which has sold about 100 policies a month since it made the new product available in June.

    The insurance covers compensation payments up to 300 million yen, even if the leak was an intentional act of an employee.

    A series of large-scale leak cases this year prompted businesses to get insured.

    A leak at Internet service provider Softbank BB Corp. affected 6.6 million customers.

    Information of 1.16 million customers was leaked in the Sanyo Shinpan case, while the figure in the Cosmo Oil case was 920,000.

    Victims are increasingly bringing their cases to court. After residents' register data were taken out and circulated from Uji city in Kyoto Prefecture, three residents sued the city government.

    A court ordered the city to pay a total of 45,000 yen to the plaintiffs. The ruling was finalized in 2002.

    TBC, an aesthetic salon, has been hit with a group lawsuit demanding 1 million yen in compensation for each plaintiff. Data on 50,000 clients, including vital statistics, were leaked, and some of the information was posted on the Internet.

    The Japan Network Security Association says the possibility is high that many more victims will join group lawsuits if the compensation amounts rise to hundreds of thousands of yen per person.

    ``We hope each company will find out how much their personal data are worth before hammering out steps against information leaks,'' an association official said.(IHT/Asahi: September 8,2004) (09/08)