Friday, August 31, 2007

Incident: Sick Kids physician loses portable hard-drive with unencrypted personal health information

A physician from Sick Kids hospital who decided to travel with a portable hard-drive containing unencrypted health information on 3,300 patients lost the drive in Canada's busiest airport. This happened six weeks after the Information and Privacy Commissioner ordered that the hospital not allow electronic health information to leave the hospital unless it was encrypted. See: - living - Sick Kids doctor loses data on 3,300 patients.

Tuesday, August 28, 2007

Incident: Security breach hits TradeFreedom

Canadian brokerage TradeFreedom has been hit with a security breach and is notifying some of its customers that their information may have been compromised: Security breach hits online brokerage

Online broker TradeFreedom Securities Inc. has quietly notified an unidentified number of its customers that a computer security breach has compromised some of their personal information, potentially exposing them to fraud.

In what it described as a follow-up to an Aug. 17 notice to clients, it said in a Friday e-mail that it had finished its investigation into the "recent unauthorized intrusion" of one of its computer systems.

"We have subsequently determined that, despite our security systems in place at the time, this unauthorized intrusion has also resulted in the compromise of some of your personal information," TradeFreedom said. "This information is your name, social insurance number, city, province and postal code."

Citing a continuing police investigation by the Sûreté du Québec, TradeFreedom president Bruce Seago said he could not release any details about the nature or timing of the computer security breach....

Monday, August 27, 2007

Privacy awareness week

Yesterday was the first day of Privacy Awareness Week in Canada. I haven't seen the commissioners making a visible fuss out of it, but CAPAPA has issued a release:
CAPAPA supports Canadian’s Right to Know
“Privacy IS Your Business”(Calgary, Alberta)

August 26, 2007 – CAPAPA (Canadian Association of Professional Access and Privacy Administrators) is pleased to support international Privacy Awareness Week, August 26th to September 1st, 2007. Privacy Awareness Week, a campaign first initiated by Privacy Victoria (Australia) in 2001, has for the first time gone international.

As Canada’s leading association serving privacy and access professionals, CAPAPA is spearheading the campaign to promote privacy awareness in Canada. “Identity theft and information security breaches are happening more often than ever,” says CAPAPA National Chair Sharon Polsky. “To reverse that trend, Canadians must recognize the importance of protecting their personal information — at home, in the workplace, and in the consumer marketplace.”

Privacy Awareness Week provides an opportunity for individuals to raise questions about privacy legislation and its impact on how individuals conduct their business and personal lives. Privacy Awareness Week spotlights the need for Canadians to recognize their rights and obligations to maintain the privacy of their personal information. The theme for Privacy Awareness Week 2007 is ‘Privacy is your business'.

Know your Rights and Obligations

Canadian organizations, governments, and government agencies are bound by a variety of wide-reaching privacy laws. Ms. Polsky notes that, “As consumers, each of us is responsible to understand what our rights and responsibilities are under those laws.”

CAPAPA is a key source for helping Canadians recognize their privacy rights and responsibilities, and is the privacy advocate’s source for issues such as the passenger name record exchange, emerging RFID CHIP technology, and CAPAPA's Submission to the Senate on proposed changes to Canada’s Election Act.

More information on these and other Canadian privacy issues is at For more information on how you can promote Privacy Awareness Week 2007, visit or contact CAPAPA at:

Developments in UK data protection law

DP Thinker has posted a few developments in UK data protection law:

DP thinker: A few developments

Just a few developments to note on data protection in the UK:

1) The draft Data Retention (EC Directive) Regulations 2007 will take effect on 1st October 2007. These regulations implement the Data Retentions Directive 2006/24/EC and will apply to public electronic communications providers. Data will be retained for a period of 12 months from the date of communication (Regulation 4(2)). The types of data to be retained are telephone numbers and mobile numbers (Regulation 5(1) and 5(2)). The regulations do not apply to data from internet access, e-mail and internet telephony (VoIP). The Information Commissioner will monitor the application of these regulations (Regulation 8). A comparison of the other European Member States' Laws implementing the Data Retentions Directive 2006/24/EC can be found here.

2) On 24 October 2007, the transitional exemptions under the UK Data Protection Act 1998 will end. This means that structured manual filing systems containing personal records will be covered under the Data Protection Act, but would apply to data that was held before October 1998. The Durant case will be relevant, which took the view that most manual file files are not relevant filing systems.

3) Draft Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2007 - The Government has drafted amended freedom of information (FOI) fees regulations which will allow public authorities to take into account more comprehensively the work involved in dealing with an FOI request. The consultation was completed in June, but further details can be found here.

Sunday, August 26, 2007

NZ commissioner to release breach guidelines

New Zealand's privacy commissioner, Marie Shroff, is going to introduce voluntary privacy breach guidelines today. I understand they are modeled on those recenly produced by the Canadian Privacy Commissioner. I'll post a link when they are released.

Computerworld > Privacy Commissioner boosts breach disclosure drive with guidelines

Privacy Commissioner Marie Shroff will today announce a draft guide for the management of data breaches in business and government, in what could be the first step towards introducing data breach disclosure laws to New Zealand.

The guidelines are not mandatory, however. Shroff says she may consider whether breach notification should be a mandatory part of New Zealand law, as is the case in parts of North America and has been recommended in Canada.

The guidelines say data breaches should be managed in four stages: containing and assessing the breach; evaluating the risks; considering or undertaking notification; and putting in place future prevention measures.

“Be sure to take each situation seriously and move immediately to investigate the potential breach,” the guidelines say. “Steps 1, 2 and 3 should be undertaken either simultaneously or in quick succession. Step 4 provides recommendations for longer-term solutions and prevention strategies. The decision on how to respond should be made on a case-by-case basis.”

UPDATE: Here are the materials posted on the NZ Commissioner's website:

Key steps for agencies responding to privacy breaches and privacy breach guidelines. The Commissioner welcomes feedback on the draft documents. Comments due by 28 September 2007.

Download the documents

Saturday, August 25, 2007

More on Facebook and defamation

Not much of a privacy angle here, but I thought I'd post it nevertheless.

I was interviewed yesterday by the CBC to talk generally about issues related to defamation and Facebook, after it was reported that Facebook has shut down a group that falsely accused a Nova Scotia university of using dogs for scientific experiments.

Here's the video:

Friday, August 24, 2007

Incident: criticized for waiting five days to report data breach

Reuters is reporting that databases of were broken into and the personal information of 1.3 Million users was compromised. Much of the focus is on a five day "delay" in making the matter public, though I think five days really isn't a long time to invetigate and figure out what to report. See: Delayed Disclosure of Data Theft - New York Times.

Thursday, August 23, 2007

Substantial potential economic losses don't cut

A plaintiff seeking compensation for having personal information compromised has to face the hurdle of needing to prove damages. Under a conventional cause of action for negligence, harm is an essential element. If there is no harm, there's no negligence. No negligence, no cash. Just a risk of harm or an increased risk of harm is not enough.

This was recently affirmed by a US federal appeals court, which denied a class action brought following the release of personal information of customers of Old National Bancorp. See Wired's coverage:

Threat Level - Wired Blogs

Tens of thousands of Old National Bancorp customers whose personal and financial information was hijacked by a computer hacker cannot recover damages from the Indiana banking institution who lost the data in 2005, a federal appeals court ruled Thursday.

In dismissing a proposed class action against Old National Bancorp, the 7th U.S. Circuit Court of Appeals said damages were unavailable to victims of data theft if those victims did not suffer economically.

The three-judge panel of the circuit, mirroring decisions of federal courts in Ohio, Minnesota, Arizona and Michigan, ruled (.pdf): "Without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy."

The plaintiffs did not allege direct financial loss and did not claim they had been the victim of identity theft. They alleged they suffered "substantial potential economic damages" and demanded compensation for emotional harm out of fear they would suffer economic damages by those who stole their information.

The bank's customers also demanded a "monitoring procedure to insure prompt notice to plaintiffs of any attempt to use their confidential personal information stolen from the defendants."

The appeals court also ruled that the law in Indiana, where the bank is located, did not protect the customers either.

"Had the Indiana Legislature intended that a cause of action should be available against a database owner for failing to protect adequately personal information, we believe that it would have made some more definite statement of that intent," the court wrote.

The court added that the plaintiffs "have not come forward with a single case or statute, from any jurisdiction, authorizing the kind of action they now ask this federal court, sitting in diversity, to recognize as a valid theory of recovery under Indiana law."

The court noted that the investigation into the security breach was under seal. But the judges added that "the scope and manner of access suggests that the intrusion was sophisticated, intentional and malicious."

CBA's National magazine

The July/August edition of the CBA's National magazine is chock full of interesting stuff and interesting people. I'm quoted on page 17 in an article on e-mail encryption, there's a profile of Winnipeg privacy lawyer Brian Bowman starting on page 44 and David Canton has an article on document retention on page 56. You can read it all online here: National - July/August 2007

Tuesday, August 21, 2007

Privacy Commissioner launches e-learning tool for retailers

This should have been done a few years ago ...

Yesterday, the Privacy Commissioner of Canada launched an online training tool for retailers to understand their obligations under PIPEDA. I haven't taken the course yet, but anything like this should be a good thing.

News Release: Privacy Commissioner launches e-learning tool for retailers (August 20, 2007) - Privacy Commissioner of Canada

Ottawa, August 20, 2007 – Retailers now have a free, do-it-yourself interactive tool to help them bring their privacy practices and policies in line with the law, the Privacy Commissioner of Canada, Jennifer Stoddart, announced today.

“Small businesses often don’t have the money to hire privacy specialists or lawyers to help them figure out how to comply with Canada’s privacy legislation,” says Commissioner Stoddart. “Nor is it always necessary. Good privacy compliance doesn’t have to be expensive or time-consuming”.

The new e-learning tool created by the Office of the Privacy Commissioner of Canada (OPC) provides retailers with the information they need to set up their business to meet their obligations under Canada’s privacy laws and provide customers with the privacy protection they’re guaranteed under the Personal Information Protection and Electronic Documents Act (PIPEDA).

“Protecting customers’ information is an increasingly important part of running a business today and the online training is a valuable tool to help our members build solid privacy practices into their operations,” says Catherine Swift, President and CEO of the Canadian Federation of Independent Business (CFIB).

Derek Nighbor, Vice-President, National Affairs with the Retail Council of Canada (RCC) agrees. “With the proliferation of identity thieves and online fraudsters, members of the RCC who do not always have the time or the resources to learn about PIPEDA requirements will be pleased with the user-friendliness of this e-learning tool. Ultimately, their customers will find this a rewarding tool in the protection of their personal information” says Mr. Nighbor.

The OPC, in a joint initiative with the RCC, recently mailed privacy information kits to some 3,000 retailers in provinces where businesses are governed by PIPEDA. The kit includes a guide entitled Your Privacy Responsibilities: A Guide for Businesses and Organizations. (The kits will not go out to Retail Council members in the three provinces which have adopted their own private-sector privacy laws, B.C., Alberta and Quebec.)

“Some small businesses have been very proactive in developing good privacy practices, while many others still have a ways to go,” Ms. Stoddart says.

“Protecting customers’ personal information is the law, and it’s also good for a company’s reputation and bottom line,” the Commissioner adds, noting that research has shown it costs far less to adequately protect personal information in the first place than to clean up after a data breach.

The online retailer training session takes only about 30 minutes to complete. At the end, retailers will have: an information audit of their business; consent provisions required specifically for their business; a security plan; a sample privacy brochure for customers; and a training needs assessment. The interactive training is available online at

New information for other types of small businesses is also available on the OPC’s web site.

Companies – large and small – in all but three provinces are subject to PIPEDA. The law imposes obligations on how those businesses must handle personal information such as names and addresses.The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of the privacy and protection of personal information rights of Canadians.

Sunday, August 19, 2007

Why businesses need to ask themselves "What's the worst that can happen?"

Many businesses deal with personal information that they would not consider "sensitive" personal information. Names, addresses, delivery instructions, maybe payment information. Other than credit card data (which isn't retained, right?), most is seen to be routine, mundane transactional data.

But businesses need to constantly ask themselves what is the worst that can happen if personal information is disclosed? Or if any of their usual practices could somehow cause their customers harm of any kind. Privacy goes well beyond preventing fraud and identity theft. Personal information is powerful and what might be perfectly mundane to most may cause particular individuals real problems.

There's a story out of Texas that provides a great illustration of what can go wrong and how businesses should be thinking about their practices. A Texas resident is suing 1-800-FLOWERS for a million bucks because they sent him a card thanking him for his patronage. Nothing offensive there, right? But the thank you card was read by his soon-to-be ex-wife and it showed that the plaintiff had sent a dozen long-stemmed roses to someone else. What had been an amicable separation went sideways and she has significantly upped her demands. (See: Married Man Sues Florist for Revealing Affair: Man Sues for $1 Million After Wife Discovers He Bought Flowers for His Girlfriend.)

You may think he is a cheating weasel who deserves everything he gets. But, assuming the article is correct, was it really his florist's job to drop a dime on him? Simply put, no it isn't.

Some time ago, a cellular phone carrier in Ontario provided a customer's billing records to his wife because she said she was doing the monthly bills and couldn't understand some of the charges. He was having an affair and the bills told the tale. (National Post, 27 September 2003.)

I've heard of a clinic in Nova Scotia that called to ask a question about scheduling a patient's vasectomy and, when the patient wasn't home, asked his wife. No harm done in that case, but what if the spouse didn't know about the man's plans? What if it wasn't his wife who answered, but a friend, housekeeper, etc?

A while ago, the Alberta Privacy Commissioner "named and shamed" a pharmacist for disclosing a patient's prescriptions to the patient's spouse. The question related to tax records, but it did disclose psychiatric prescriptions.

What does all of this mean? Many of these disclosures are made in good faith with no intention to harm anyone. On the contrary, most are made to be helpful. But for some customers/patients, these disclosures can have disastrous consequences. Every business that collects, uses or discloses personal information has to be mindful of this.

Undiscriminating Facebook users at risk

I've blogged before about Facebook. I like the service and I especially like the privacy controls they've built into the system. Users control how much information they make available, either to strangers or friends. Most users who give any thought to privacy lock down what information is made available to the world at large and only let chosen "friends" have access to the piles of pesonal information that most users put online.

The distinction in Facebook is always between "friends" and others. But the user's only defence is carefully choosing who is let into that select group.

Unfortunately, more than four in ten users will let anyone (including a frog) be their friend. Sophos did a recent study, setting up a fake profile of a frog and sent out 200 friend requests. More than forty percent of the requests were accepted, allowing those who created the frog profile to see their personal information. (See: Sophos Facebook ID probe shows 41% of users happy to reveal all to potential identity thieves.)

"So what?" you might ask. Many Facebook users' profiles contain:

  • Full name
  • Home address
  • Full date of birth
  • Phone number
  • Information on relatives
  • Information on friends
  • Work information

If I know your address, your full name, your employer and your date of birth, that's enough to fill out a credit card application in your name. (Not that I would!)

Promiscuous, undiscriminating Facebook users beware!

Thanks for the link: B.L. Ochman's weblog: Internet marketing strategy, social media trends, news and commentary.: Would You "Friend" a Fake Frog on Facebook? Four in 10 Did.

Monday, August 13, 2007

BC auto body shops object to auto insurer's credit-card policy

Auto body repair shops in British Columbia are complaining to the province's privacy commissioner about the public auto insurer requiring that the shops hand over customer credit card information in the course of routine audits.

I wonder whether there's anything in the customer's policy allowing ICBC to collect this information?

Check it out:

Auto body shops take aim at ICBC's credit-card policy

Neal Hall, Vancouver Sun

Published: Monday, August 13, 2007

An association representing auto body shops and automotive glass repair companies has filed a complaint with B.C.'s information and privacy commissioner about having to hand over customer credit card numbers to the Insurance Corp. of B.C.

The United Auto Trades Association of B.C. says disclosure of a customer's personal and financial information during ICBC audits should not be done without a customer's written consent.

The complaint, obtained by The Vancouver Sun, says the disclosure without written consent is "clearly unlawful."

"It's of concern to us," said Gerry Preddy, vice-president of the association. "We've had examples of files being lost [by ICBC]."

The association, in its complaint, cites the federal Personal Information Protection Act, which states: "An organization must not, as a condition of supplying a product or service, require an individual's consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service."

ICBC demands such information during audits of auto body and glass repair shops that participate in ICBC's Glass Express Program to make sure shops are charging the vehicle insurance deductible amount.

"When a customer makes a claim, they are required to pay a deductible," explained ICBC spokeswoman Kate Best, "so repair shops provide ICBC with credit card information to confirm the payment of the deductible."

ICBC's position is that audits of repair shops are reasonable to verify payments, she said.

"The matter is currently before the information and privacy commissioner and ICBC will await the ruling," Best said.

The association says while membership in the glass express program is voluntary -- about 700 businesses and 60 per cent of glass repair shops participate in the program -- shops would suffer a drastic loss in business if they withdrew or refused to hand over the financial information of customers during ICBC audits.

The association made a final submission to the privacy commissioner on July 30, pointing out a recent B.C. Court of Appeal decision "confirmed that the collection and disclosure must be authorized by law."

The appeal court, in its ruling involving Royal City Jewellers & Loans Ltd., struck down a New Westminster bylaw allowing police to collect financial and personal information about people selling or pawning items to second-hand stores and pawn shops. The shops still collect the information but take the position they won't hand it over to police without a court order or search warrant.

Royal City Jewellers launched the court challenge, stating it was an invasion of privacy for law-abiding customers.

Sunday, August 12, 2007

Plain and simpe privacy, from Google

Google apparently has been doing a lot of thinking about privacy as of late. They've even put together a five minute video on search privacy, available via YouTube.

From the official Google blog:

Official Google Blog: Google search privacy: Plain and simple

Cookies, IP addresses, logs -- all of these are important things to understand in the context of online privacy. We try to explain them in clear and simple language in our privacy policy and FAQ. But they're not always easy for non-techies to understand. Google is committed to being transparent about our privacy practices. We've been thinking about different ways to help people understand the technical aspects of online privacy, to improve transparency, and to empower you to make informed decisions about how you want to use our services. Today, we're launching our first experiment to explain basic privacy concepts via video on YouTube. Here it is:

This video runs about 5 minutes, so we couldn’t cover everything. Over time, we hope to create additional videos where we talk about other privacy issues: what data do we collect when you register for a Google Account? or - when you search on Google while you’re logged in? or - why does Google keep server logs? But before we head down the road of sequels, we’d like to get your feedback on whether you find this video format helpful. So please watch it and tell us what you think. We look forward to hearing from you.

China Enacting a High-Tech Plan to Track People

Today's New York Times has an interesting article on new surveillance technologies being built by American companies for use in China:

China Enacting a High-Tech Plan to Track People - New York Times

... Starting this month in a port neighborhood and then spreading across Shenzhen, a city of 12.4 million people, residency cards fitted with powerful computer chips programmed by the same company will be issued to most citizens.

Data on the chip will include not just the citizen’s name and address but also work history, educational background, religion, ethnicity, police record, medical insurance status and landlord’s phone number. Even personal reproductive history will be included, for enforcement of China’s controversial “one child” policy. Plans are being studied to add credit histories, subway travel payments and small purchases charged to the card.

Security experts describe China’s plans as the world’s largest effort to meld cutting-edge computer technology with police work to track the activities of a population and fight crime. But they say the technology can be used to violate civil rights....

Friday, August 10, 2007

US unveils more privacy-friendly no-fly list

Apparently the American government is about to implement its latest version of the no-fly list, without data mining using commercial sources. It looks a lot like the Canadian "Passenger Protect" program:

Even Bruce Schneier thinks it shows common sense.

Feds offer simpler flight screening plan on Yahoo! News

By MICHAEL J. SNIFFEN, Associated Press Writer

Thu Aug 9, 6:34 PM ET

The government proposed a new version of its airline passenger screening program Thursday, stripped of the data mining that aroused privacy concerns and led Congress to block earlier versions.

It's been three years since the Sept. 11 Commission recommended and Congress ordered that the government take over from the airlines the job of comparing passenger lists with watch lists of known terrorist suspects to keep them off flights. Even this new version of the Secure Flight program is open for public comment and will be tested this fall before it can be implemented fully in 2008.

The third version of the program, once known as CAPPS II, drew positive reviews from privacy advocates and members of Congress who had objected to more elaborate earlier versions. Congress enacted legislation blocking earlier plans to collect private commercial data — like credit card records or travel histories — about all domestic air travelers in an effort to predict which ones might be terrorists.

The new plan would require passengers to give their full name when they make their reservations — either in person, by phone or online. They also will be asked if they are willing to provide their date of birth and gender at that time to reduce the chance of false positive matches with names on the watch lists.

"Finally, this appears to have a coherent, narrow and rational focus," said James Dempsey of the Center for Democracy and Technology, a privacy advocacy group. "This is a vast improvement over what we've seen before."

Even Democrats in Congress were cautiously positive.

"They've been slow to admit that minimizing invasions and breaches of Americans' privacy is part of their job," said Senate Judiciary Committee Chairman Patrick Leahy, D-Vt. "We will evaluate these steps to see if they measure up."

House Homeland Security Chairman Bennie Thompson, D-Miss., said he hoped the administration would stay alert to privacy issues. "I am extremely disappointed it has taken three years and passage of several pieces of legislation to get us to step one."

Thompson added that he hoped it was a sign of foresight that the new plan was announced along with new screening arrangements for international travelers.

At a news conference at Reagan National Airport, Homeland Security Secretary Michael Chertoff also announced that starting six months from now airlines operating international flights will be required to send the government their passenger list data before the planes take off rather than afterward, as is now the case.

Earlier sharing of passenger information is designed to give U.S. authorities more time to identify terrorists like Richard Reid, who attempted to light a shoe bomb on a trans-Atlantic flight in December 2001, and keep them off planes.

"Now the airlines give us their manifests after the plane has left the ground and that is too late," Chertoff said.

The Homeland Security chief said he was unaware of any specific, credible threat against airlines. But based on recent car bomb attempts in Great Britain and public statements by terrorists, he repeated his view that "we are entering a period where the threat is somewhat heightened."

"Look at the history of al-Qaida," Chertoff said. "The airplane has been a consistent favorite target of theirs."

On the domestic side, transferring watch-list checks to Transportation Security Administration officers "should provide more security and more consistency, and thus reduce misidentifications" that have frustrated passengers, Chertoff said.

Existing screening has been widely ridiculed because people like Sen. Edward M. Kennedy, D-Mass., other members of Congress and even infants have been blocked from boarding or delayed because their names are similar to names on the lists.

Chertoff said the new domestic system will avoid activities envisioned earlier that raised privacy concerns.

"Secure Flight will not harm personal passenger privacy," Chertoff said. "It won't collect commercial data (about passengers). It will not assign risk scores and will not attempt to predict behaviors."

Such plans alarmed Congress so much that it barred implementing the program until it passed 10 tests to ensure privacy and accuracy. The Government Accountability Office, Congress' auditing arm, found the previous version failed almost all of them.

Currently, only a passenger's full name is required when reservations are made although date of birth and gender usually become known to transportation security officers later in the boarding process.

Transportation Security Administrator Kip Hawley said volunteering those two items earlier would reduce misidentifications in watch-list matching.

"With the full name, we can resolve 95 percent of the cases correctly. The date of birth adds 3.5 percent to that, and the gender adds another one percent," Hawley said.

Privacy advocates like Dempsey and Bruce Schneier, chief technology officer at the security company BT Counterpane, also were pleased with limits on how long most records will be kept. A check that produces no match — which will be the case for the vast majority of travelers — would be kept only seven days. A false positive match would be kept seven years. Confirmed matches would be kept 99 years.

"On the surface, it looks pretty good," Schneier said. "I'm cautiously optimistic. It's nice to see some common sense."

Tuesday, August 07, 2007

Montreal mall fake toilet-cam raising concerns

I was interviewed about this on a Montreal radio station on Friday. It's an interesting issue, because information is not being collected:

Toilet cam working even when it doesn't

Toilet cam working even when it doesn't

Mall customer outraged but landlord says dummy is effective


Published: Friday, August 03

Yes, that's a real surveillance camera on the ceiling of the men's washroom off the food court of Les Cours Mont Royal - but don't worry, it's not operating.

That reassurance was not good enough for at least one Montreal businessman who was outraged to see a video camera in a public bathroom at the downtown Montreal mall.

The camera is inside a protective dome and appears to be pointed toward the washroom's common area, where the urinals are. As of yesterday, there were no signs explaining what the camera is for or whether it is on.

When the man asked a maintenance person about the camera, he was told it wasn't actually functioning but was there to discourage certain activities.

"If the video surveillance is not functional, what assurances do we have that it will not be in the future?"the man wrote in a complaint to mall owners Soltron Realty Inc., which he forwarded to The Gazette on the condition his name not be published.

"If it is functional," the letter continued, "who is watching, is the information secure and will we find our pictures on the Internet? ... I find the use of surveillance camera (real or fake) inside a washroom to be absolutely unethical, immoral and most likely illegal." Unless the camera is removed within 10 days, the man said, he will lodge a complaint with Quebec's privacy commission.

A spokesperson for Soltron said the camera was installed in the washroom several years ago to discourage "sexual misconduct and drug use." Carmela Amorosa, marketing director for Soltron, said the company realized it was illegal to place an operating camera in a public bathroom, but felt some action was necessary.

"It is working," Amorosa said. "Now we don't have these problems. We are doing this to protect our customers from this sort of behaviour in the bathroom." But the case raises questions about the right to privacy and video surveillance, said sources in Quebec's Justice Department, as well as federal and provincial agencies that safeguard privacy.

"People are right to be concerned about being monitored," said Colin McKay, of the federal Office of the Privacy Commissioner.

"The case is interesting because they are not technically collecting information, they are just giving that impression. But perception for a lot of people is a legitimate concern. If they are doing it as a deterrent, they should make that clear." Luc Fortin, an aide to Benot Pelletier, the cabinet minister responsible for Quebec's privacy commission, said it is unclear whether a complaint about camera surveillance in a public washroom would be heard by the Privacy Commission or the Human Rights Commission.

"If it is a question of voyeurism, that would clearly be a case for the Human Rights Commission, but if the camera is being used to gather information and set up a file about a specific person, it would be something we would deal with," Fortin said.

"It's not technically illegal" to install video cameras in public bathrooms, "but companies that do it certainly risk complaints," said Robert Sylvestre of the Quebec Human Rights Commission.

Several court cases have resulted in jurisprudence and a set of principles about video surveillance in public places, he said.

"One of those principles is that the operator of the camera should be able to show that other methods have been tried and failed before they resorted to this."

Cameras coming to BC buses

Video cameras are coming to public transportation in British Columbia. Probably not breaking news, but I find the following quote to be interesting:

"Many proponents of the system say the public is already recorded on video in malls, ATM machines, and various other areas. Cameras on buses and other public areas, they believe, is simply a natural extension."

With cameras in many places, where is it not a natural extension? Once they are commonplace in one public area, it's very easy to justify putting them in another locale.

BCNG Portals Page (R)

Closed-circuit TV cameras coming to buses

By Kevin Diakiw Black Press

Aug 03 2007

Cameras will be installed on all buses in the coming months, but privacy watch-dogs are concerned about how they’ll be used.

TransLink will spend $4 million for camera installation, primarily as a measure for driver safety. However, TransLink spokesman Ken Hardie said cameras will be placed on various areas of the bus, and will not simply be focused at the driver.

“I believe actually there will be more than one camera on the bus, there will be a number of different views,” Hardie said Wednesday.

The expansion of Closed Circuit Television cameras (CCTV) onto buses has been sold primarily as a device to prevent assaults on drivers.

Hardie said they will have several uses.

“Let’s say taggers, who can create mayhem inside a bus, just by leaving graffiti and other damage,” Hardie said. “... now buses might not leave them the kind of anonymity that they love to have when they do their work.”

It’s that kind of “function creep” that concerns civil libertarians.

“I am concerned about this notion ... now that we’ve got them on the bus ... let’s point them all over the bus and let’s catch the kids with crayons in the back seat while we’re at it,” said Micheal Vonn, policy director for B.C. Civil Liberties Association.

She’s also concerned about who would have access to the images.

Hardie said the video will be “recorded on board” to a hard drive and overwritten every week. A special team with Coast Mountain Bus Ltd. would be the only people with access to the video, unless required by police or court.

Many proponents of the system say the public is already recorded on video in malls, ATM machines, and various other areas. Cameras on buses and other public areas, they believe, is simply a natural extension.

“The question is to what degree are we becoming immune to the idea we should not be on film whenever we’re outside of our house,” Vonn said.

With scores of people already on any particular bus witnessing what’s going on, many feel the public expectation of privacy is low.

Vonn has heard the argument and disagrees.

“If I’m in a restaurant having a private conversation with a friend, a server can overhear snatches of what I’m saying,” Vonn said. “It’s quite different than having my Waldorf salad bugged and my entire conversation recorded.”

Hardie said TransLink is working with the B.C. Privacy Commissioner and will be submitting a privacy impact assessment as part of the process.

At the end of the day, the public will be safer with the presence of cameras on the region’s buses, he said.

“For one element, to know their actions are being recorded will make them think twice, there will be a deterrent effect in some respects,” Hardie said.

TransLink is hoping it will serve not only as an effective investigative tool for police, but will lead to stiffer penalties when perpetrators go to court.

Friday, August 03, 2007

Federal Privacy Commissioner releases privacy breach guidelines

The Federal Privacy Commissioner has just released privacy breach guidelines, which are similar to guidelines produced by the Ontario and British Columbia commissioners. Here is the press release, with links to the guidelines:

News Release: Privacy Commissioner releases privacy breach guidelines (August 1, 2007) - Privacy Commissioner of Canada

Privacy Commissioner releases privacy breach guidelines

Ottawa, August 1, 2007 – New guidelines will help organizations take the right steps after a privacy breach, including notifying people at risk of harm after their information has been stolen, lost or mistakenly disclosed, says the Privacy Commissioner of Canada, Jennifer Stoddart.

The guidelines outline some of the key steps in responding to a breach, such as containing the breach, evaluating the risks associated with it, notifying the people affected and preventing future breaches.

“It’s clear that most businesses take seriously their responsibilities under Canada’s private-sector privacy law. I want to thank the industry groups, civil societies groups and privacy commissioners' offices that helped my office in developing these,” Commissioner Stoddart says.

The Office of the Privacy Commissioner (OPC) has become increasingly concerned about privacy breaches and breach notification following some major data breaches in recent months. Earlier this year, Commissioner Stoddart urged the federal government to amend the Personal Information Protection and Electronic Documents Act (PIPEDA) to make it mandatory for businesses to notify people when their personal information has been breached.

“Our new voluntary guidelines do not take away from the need for breach notification legislation,” the Commissioner says. “I would once again urge the Minister of Industry and his cabinet colleagues to help better protect Canadians by making breach notification a legal requirement for businesses.” The guidelines call on businesses to notify people that their personal information has been compromised in cases where the breach raises a risk of harm. For example, there may be a risk of identity theft or fraud in cases where sensitive personal information has been lost or stolen.

Organizations are also encouraged to inform the appropriate privacy commissioner(s) of a privacy breach. (In British Columbia, Alberta and Quebec, provincially regulated businesses should speak to their provincial privacy commissioners. In Ontario, breaches involving personal health information must be reported to the provincial commissioner.)

The OPC is currently investigating two high-profile privacy breach cases involving large amounts of personal information.

In one case, the Canadian Imperial Bank of Commerce reported to the OPC the disappearance of a hard drive containing the personal information and financial data of close to half a million clients of its subsidiary, Talvest Mutual Funds.

The other investigation, being conducted jointly with the Information and Privacy Commissioner of Alberta, is looking at a breach at TJX Companies Inc., which affected thousands of Canadians who shopped at TJX’s Winners and HomeSense stores.

The new guidelines as well as a privacy breach checklist and a list of organizations which participated in the consultation process to develop the guidelines are available on the OPC website,

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

Wednesday, August 01, 2007

Credit card slip-ups can carry a cost

PIPEDA should be old news. It came into force generally on Jauary 1, 2004, so we shouldn't be seeing more stories about merchants printing all credit card numbers on sales slips. But it happened to Ellen Roseman at the Toronto Star and she's not happy about it. See: - columnists - Credit card slip-ups can carry a cost.

Thanks to Rob Hyndman for the pointer.