Monday, March 31, 2008

Google revamps Google Privacy Center

Google has announced a revamp of the Google Privacy Center:

Official Google Blog: Privacy made easier

Privacy made easier

3/28/2008 07:20:00 AM Posted by Jane Horvath, Senior Privacy Counsel, and Peter Fleischer, Global Privacy Counsel

Because we're strongly committed to protecting your privacy, we want to present our privacy practices in the clearest way possible. Over the past year, we've been experimenting with video to clarify and illustrate the privacy practices set forth in our Google Privacy Policy. We've used videos to communicate with you about things like cookies, IP addresses, and logs. (Check out the Google Privacy Channel on YouTube.) And you've told us that the screen shots, whiteboard drawings, and pointers from the engineers and product managers we've captured on video are helping you better understand the fine points of our Privacy Policy.

With that in mind, today we're announcing a revamp of our Privacy Center. The new Center is a one-stop shop for privacy resources, with various multi-media formats aimed to help you further understand how we store and use data, how to control who you share your data with, and how we protect your privacy. We hope this new Center will help you make more informed privacy choices whenever you use Google products and services.

What's new from Alberta

There have been some interesting releases from the Information and Privacy Commissioner of Alberta's office:


Order P2007-014

Posted: Mar/19/2008

Adjudicator rules personal information released in contravention of Personal Information Protection ActAn Adjudicator with the Office of the Information and Privacy Commissioner has ruled that the Alberta Teachers’ Association contravened the Personal Information Protection Act (PIPA), when it published an article containing the personal information of former members.

The Complainants filed the complaint when the ATA published their names in a newsletter stating that they no longer were required to adhere to the ATA’s Code of Professional Conduct.

The ATA argued while it had published personal information, it had done so for “journalistic purposes” and that PIPA did not apply.

The Adjudicator determined that PIPA did apply and that the information was disclosed contrary to sections 7 and 19 of PIPA.

Order F2007-026

Posted: Mar/18/2008

Adjudicator finds Alberta Energy and Utilities Board did not disclose personal information in contravention of the FOIP Act

Order F2007-019

Posted: Mar/11/2008

Information and Privacy Commissioner, Frank Work, has ruled that the parents of a student had no legal standing in a complaint over the seizure of their son’s cell phone. The Commissioner says he was not presented with any evidence under section 84 of the Freedom of Information and Protection of Privacy Act (FOIP) that the parents were authorized to act on behalf of their son, nor is there any evidence that the son is even aware of a complaint being made on his behalf.The parents complained to the Commissioner their son’s cell phone had been seized by school administrators who had accessed photographs contained on the phone.

During an inquiry into the matter, the Commissioner found the evidence did not establish that the parents had standing to make a complaint. The Commissioner also found there was little evidence that the son’s personal information had been collected or used by the school.

Investigation Report P2008-IR-002

Posted: Mar/06/2008

Commissioner releases investigation report on DeVry Institute of Technology, related to discovery of identity theft.

News Release P2008-IR-002

Posted: Mar/06/2008

Commissioner releases investigation report related to discovery of identity theft

News Release: New Video Surveillance Guidelines

Posted: Mar/06/2008

New guidelines set out how companies should evaluate the use of video surveillance that respects privacy rights and complies with the law.

Order F2008-007

Posted: Mar/06/2008

Adjudicator upholds decision not to release Crown Prosecutor records

Order P2008-001

Posted: Mar/06/2008

Adjudicator rules company tried to find applicant's personal information

Ontario's Commissioner recommends PHIPA to Americans

Last week's New York Times had an editorial on Safeguarding Private Medical Data:

... These are good steps, but a larger solution is needed. There should be a federal law imposing strict privacy safeguards on all government and private entities handling medical data. Congress should pass a bill like the Trust Act, introduced by Representative Edward Markey, a Democrat of Massachusetts, imposing mandatory encryption requirements and deadlines for notifying patients when their privacy is breached. As the N.I.H. has shown, medical privacy is too important to be left up to the medical profession.

In today's edition, Ontario's Information and Privacy Commissioner responds:

Ontario’s Example on Privacy - New York Times

To the Editor:

Re: Editorial: Safeguarding Private Medical Data (March 26, 2008)

I couldn’t agree with you more. In Ontario, we take privacy very seriously, especially when it comes to medical data.

Four years ago, we passed the Personal Health Information Protection Act, or Phipa, and haven’t looked back. This law provides solid privacy protection for health data but doesn’t act as a barrier to the delivery of health services. It doesn’t interfere with health care but ensures that it comes wrapped in a layer of privacy.

As privacy commissioner of Ontario, I can investigate complaints and issue orders if Phipa is breached. One order I issued requires that any identifiable health data must be encrypted if removed from a health care facility on a laptop or any other medium.

Medical privacy is far too important to be left to chance, or to the well intentioned. Strong legislated safeguards are needed.

Take a look at Phipa, which could serve as an excellent model.

Ann Cavoukian

Toronto, March 27, 2008

Sunday, March 30, 2008

New technology allows backup tapes to phone home

Lost, misplaced or stolen backup tapes are a common cause of privacy breaches. In response, Fujufilm has developed a LoJack for backup tapes using GPS technology. See: Fujifilm bugs backup tapes with LoJack device The Register. The tapes can be traced and located when being transported.

The next step, I assume, is a gadget that prevents the tapes from being auctioned.

Saturday, March 29, 2008

US Patriot Act deters Canadians from Google service

I was interviewed last week by, a service of UK firm Pinsent Masons, for an article on the recent stories out of Canadian universities about hesitation to use Google's services due to USA Patriot Act concerns. See: US Patriot Act deters Canadians from Google service OUT-LAW.COM.

Out-law also has a weekly podcast that featured this story, which includes portions of my interview. See: High quality recording (10MB, 12 minutes) or Low quality recording for 27/03/2008 (2MB, 12 minutes).

Thursday, March 27, 2008


Michael Geist has been a critic of the legislation enabling the new Canadian "Do Not Call List", which specifically permits calls from polling companies, newspapers, political parties and others. So to enable users to opt out even more, Michael has developed a website that sends specific do not call requests to individual companies and organizations. Check it out:

iOptOut - Welcome to iOptOut

Welcome to iOptOut

The Canadian government passed legislation in 2005 mandating the creation of a do-not-call registry. The registry is scheduled to take effect in mid-2008, yet many Canadians may be disappointed to learn about the exemption of a wide range of organizations (registered charities, business with prior relationships, political parties, survey companies, and newspapers). Under the law, exempted organizations are permitted to make unsolicited telephone calls despite the inclusion of the number in the do-not-call registry. However, organizations must remove numbers from their lists if specifically requested to do so. IOptOut takes advantage of this approach by allowing Canadians to create and manage a personal do-not-call list that begins where do-not-call legislation ends. Once you register, you'll be able to view a categorized list where you can opt-out of further contact from exempt organizations.

To do this we send an email notification to each organization on your behalf requesting that your name, email address and phone number(s) be removed from their active marketing lists.

Privacy fears delay UK airport fingerprint biometrics

According to Information Age, privacy concerns have at least delayed the implementation of fingerprint biometrics at Heathrow's new Terminal 5 (For some background, see: Canadian Privacy Law Blog: A small step for biometrics; a giant leap for the UK surveillance state). See: Privacy fears delay Terminal 5 fingerprint biometrics | Information Age.

Info on participants in kids' summer program found in open trash in Toronto

The Toronto Sun is reporting that information about children who participated in a city-funded summer program was found in an open trash bin in a Toronto apartment building. The Sun also notes that a resident of the building was recently charged for child pornography offenses, but the two do not appear to be related. - Toronto And GTA- Kids' data exposed

Documents containing detailed information on children who participated in a city-funded summer program were carelessly left out in the open at a public housing apartment building where a man was recently charged with possession of child pornography.

George Pappas, director of the Glamorgan Resident's Association, was running one of his weekly social events for the residents when he and another member of his group found approximately 200 pages near the top of a garbage can in the rec room.

The papers contained the birth dates, health card numbers, contact details and other personal information on children from 6 and 7 Glamorgan Ave. and other nearby Toronto Community Housing buildings who participated in the summer program. ...

Tuesday, March 25, 2008

Patient files found in vacant Saskatchewan office space

Not good ...

Patient files found in vacant Yorkton office space:

"REGINA -- Hundreds of patient files have been discovered in a vacant Yorkton office space, prompting an investigation by the Saskatchewan Information and Privacy Commissioner.

An anonymous complaint tipped the commissioner's office to the presence of five large boxes containing what appears to be physician records for as many as 800 or 900 patients in the Yorkton region, Commissioner Gary Dickson said Monday...."

Smile, Big Brother's watching

I was interviewed some time ago for a Globe & Mail article on workplace surveillance, which appeared yesterday. The piece discusses keystroke loggers, access cards and video surveillance. See: Smile, Big Brother's watching.

Using Facebook's power for YOU.

Rob Hyndman has a great post about Facebook and why he's finding it increasingly boring. The site has loads of users' personal information. It knows who your friends are and who their friends are. It knows what you post and it knows who you are closest with. It knows your social network and what's going on in it.

So, Rob asks, why isn't Facebook using that information to be more useful for the user? Why doesn't it introduce you to friends of friends who you'd probably like? Why doesn't it suggest TV shows? Or let you rate your music and share your recommendations among similarly-minded friends (or foafs). Loads of websites take your personal information and offer a single service in return. But Facebook and social networking sites take loads of personal information, analyze it to death but don't offer the users with a complete return on that personal information. Good questions, Rob. For those who opt in, that would be the Web 2.0 killer app. See: » Blog Archive » What Facebook Needs to do to Not be Boring.

Toilet cameras are for research purposes only

After the recent spate of toilet cam stories (Canadian Privacy Law Blog: Montreal mall fake toilet-cam raising concerns, Canadian Privacy Law Blog: Montreal Second Cup owner forced to take down bathroom surveillance camera), I was at first shocked, puzzled and then amused by the sticker that was posted on Boing Boing. It had been spotted in a bathroom in a San Francisco coffee shop. It turns out it was part of a prank created by Sean Savage at Cheesebikini, though commentators at Boing Boing say they were originally part of a set of stickers produced by Maxim Magazine. In the interests of science, I've discovered that there are others who put stickers up in bathrooms suggesting you are being watched, including a Flickr user who puts labels of "THIS IS A CAMERA" on bathroom fittings. For more info and a handy PDF to make your own labels, see: cheesebikini? » Blog Archive » Bathroom Prank.

Friday, March 21, 2008

State Dept fires two for snooping into Obama's passport records

For the record, I do not delight in the misfortunes of others but I am glad to see that the US Department of State has fired two people for inappropriately snooping into the passport records of Barak Obama. Access to sensitive records must be adequately policed in order for people to be able to trust the systems that keep the info safe. It appears that the State Dept. has a pretty good system and is willing to mete out punishment for policy violations.

Monitoring systems are tripped when an employee accesses the records of the high-profile individual, a department official told NBC News. "When the monitoring system is tripped, we immediately seek an explanation for the records access. If the explanation is not satisfactory, the supervisor is notified."

See: 2 fired over Obama passport breach - Decision '08- Via the equally vigilant Boing Boing.

UPDATE: Other candidates' passport files have been similarly perused: Candidates' passport files breached - Yahoo! News.

Tuesday, March 18, 2008

UK police urge that young children be added to already enormous DNA list

Just in case you were starting to wonder about the benefits of a written constitution and bill of rights, the UK steps up to the plate: Authorities in England are proposing to collect the DNA of five year olds in case they grow up to be terrorists, thugs, or ne'er do wells. And if you have a transit card, your movements will be analyzed by the sercurity services in case you are a terrorist, thug or ne'er do well. See: Put young children on DNA list, urge police Society The Observer. Via Boing Boing.

Saturday, March 15, 2008

Anti-money laundering system exposed Spitzer

The downfall of Eliot Spitzer, former governor of New York, was precipitated by a financial information system that has been seen by Canadians as too intrusive to implement in Canada. The system requires financial services companies to report suspicious looking transactions. High profile politicos are tagged for closer scrutiny in an effort to detect blackmail and corruption. (See: How an information system helped nail Eliot Spitzer and a prostitution ring Between the Lines

To me, this is an example of how intrusive legislation designed to go after big crimes (terrorism financing, money laundering, corruption) often will be used to prosecute much more minor ones. In the case of Spitzer, it's a "minor misdemeanor".

While Canada has money laundering laws and requirements to report suspicious transactions, the Canadian government has declined to put additional scrutiny on "politically exposed persons": Ottawa dropped plan for more scrutiny


From Thursday's Globe and Mail

March 12, 2008 at 10:25 PM EDT

Canada quietly dropped an anti-money-laundering proposal for politicians that would have automatically scrutinized the type of financial transaction New York Governor Eliot Spitzer used to hire prostitutes.

In 2005, the Department of Finance recommended including so called “politically exposed persons,” or PEPs, on the list of people whose financial dealings would receive more scrutiny under the anti-money-laundering legislation. That legislation requires banks, casinos, real-estate agents and others to report suspicious financial transactions as well as all transactions of more than $10,000.

At the time, the department defined PEPs as politicians, judges, military leaders, senior bureaucrats or senior executives of Crown corporations. The proposal would have required banks to review large transactions by these people and “conduct enhanced ongoing monitoring of the business relationship” that led to the transaction.

Finance officials said PEPs had become higher-risk customers for financial institutions “as they have potentially greater opportunities to engage in corrupt activities.” They promised that the measure would show that “Canada will do its part in the global fight against corruption.”

However, the proposal was dropped last year after many groups, including the federal Privacy Commissioner, complained that the definition of PEP was too broad and could have included thousands of Canadians. Instead, the government opted to include only foreign PEPs, defined generally as foreign political, military or business figures who hold accounts in Canadian institutions. That change takes effect in June.

The United States has generally stricter reporting rules and it has included foreign PEPs for years. Since the September, 2001, terrorist attacks, federal officials have also pushed U.S. banks to track accounts held by high-profile domestic politicians as well, in order to guard against bribery.

That extra scrutiny appears to have tripped up Mr. Spitzer. According to various news reports, two banks became suspicious last summer about money transfers Mr. Spitzer made from his accounts. Even though the amounts were each less than $10,000, the banks filed Suspicious Activity Reports with the U.S. Treasury Department. Those officials passed on the information to investigators at the Internal Revenue Service who were looking into the prostitution ring.

Canadian officials said yesterday that there are no plans to change our reporting system to specifically include more scrutiny of politicians. They added that our system is in line with many other countries and requires reporting of all suspicious transactions.

“If the financial institution or the casino or the real-estate agent feels there's a potential here that it might be linked to money laundering or criminal activity, there's a legal requirement on them to report it,” said Peter Lamey, a spokesman for the Financial Transactions and Reports Analysis Centre, the federal agency that collects and analyzes Canadian reports.

“We provide guidelines around what might be determined suspicious and how you might come to that determination.”

UCLA employees being shown the door for peeking at Britney's records

One of the many privacy issues of electronic health records is that "authorized" users of ehr systems are known to look up the records of celebrities and others. The Los Angeles Times reports that 25 employees of UCLA Medical Center are being investigated for peeking at Britney Spears' medical records when she was admitted there. Thirteen employees are on their way to being fired for the offense: UCLA workers snooped in Spears' medical records - Los Angeles Times. Also, see Medical Workers Fired For Looking At Britney Spears' Records - News Story Music, Celebrity, Artist News MTV News.

Illustration of ten largest data breaches since 2000

Flowing Data, which "explores how statisticians, designers, computer scientists, and others are using data to understand more about ourselves and our surroundings", has an illustration of the ten largest recent data breaches. See: 10 Largest Data Breaches Since 2000 - Millions Affected FlowingData. Via Boing Boing.

Friday, March 14, 2008

US Federal Court limits employment drug testing

This is an interesting development: The Ninth U.S. Circuit Court of Appeals in San Francisco ruled against a municipality that argued it was entitled to maintain a drug-free workplace by requiring all job candidates to be screened for drugs and alcohol. The case started when the city withdrew a job offer to a librarian who had refused to pee in a cup. The Court has decided that there needs to be a compelling reason related to the duties of the job to justify drug testing. See: Court ruling limits employment drug testing and the decision here.

Sunday, March 09, 2008

The New School of Information Security

Adam Shostack, one of the most prolific contributors at Emergent Chaos, is the co-author of an interesting-sounding book being launched tomorrow. Here's the scoop from Amazon: The New School of Information Security: Adam Shostack,Andrew Stewart: Books

Why is information security so dysfunctional? Are you wasting the money you spend on security? This book shows how to spend it more effectively. How can you make more effective security decisions? This book explains why professionals have taken to studying economics, not cryptography--and why you should, too. And why security breach notices are the best thing to ever happen to information security. It’s about time someone asked the biggest, toughest questions about information security. Security experts Adam Shostack and Andrew Stewart don’t just answer those questions--they offer honest, deeply troubling answers. They explain why these critical problems exist and how to solve them. Drawing on powerful lessons from economics and other disciplines, Shostack and Stewart offer a new way forward. In clear and engaging prose, they shed new light on the critical challenges that are faced by the security field. Whether you’re a CIO, IT manager, or security specialist, this book will open your eyes to new ways of thinking about--and overcoming--your most pressing security challenges. The New School enables you to take control, while others struggle with non-stop crises.

Better evidence for better decision-making

  • Why the security data you have doesn’t support effective decision-making--and what to do about it
  • Beyond security “silos”: getting the job done together
  • Why it’s so hard to improve security in isolation--and how the entire industry can make it happen and evolve
  • Amateurs study cryptography; professionals study economics
  • What IT security leaders can and must learn from other scientific fields
  • A bigger bang for every buck: How to re-allocate your scarce resources where they’ll do the most good

Crossing the border? Consider the possibility of laptop searches

As March Break is almost in full swing, it's timely to read Compterworld's recent 5 things you need to know about laptop searches at U.S. borders. State sovereignty usually means that a country has total control over who and what gets in and traditional searches are being extended to laptop searches. This makes sense on one level but seems futile as any traveller can upload ilicit digital content before crossing into the US and then download it on the other side of the border.

But searches are happening, so make sure you delete from your computer all content that you wouldn't want disclosed as part of such a search. Lawyers should particularly remove any privileged content they don't need to be taking with them. And if you're a public servant from BC, Alberta or Nova Scotia, you can't take it with you thanks to the USA Patriot Act blocking legislation in your province.

Google/Doubleclick merger expected to clear EU hurdles this week

According to Reuters, the proposed merger of Google and Doubleclick is expected to clear all regulatory hurdles in the European Union despite protests of privacy advocates. See: EU set to clear Google/DoubleClick merger Technology Reuters.

Saturday, March 08, 2008

A small step for biometrics; a giant leap for the UK surveillance state

Passengers flying through Heathrow Airport, Terminal 5, will be photographed and fingerprinted twice before being permitted to board domestic flights. The British Airport Authority, which runs the new terminal through which all British Airways passengers will travel say this measure is "necessary to prevent criminals, terrorists and illegal immigrants trying to bypass border controls."

The only reason why this may be necessary is that the design of the new terminal permits international and domestic passengers to mingle in the secure area. Theoretically, transiting international passengers would be able to swap boarding passes with a domestic passenger circumventing border controls. On balance, it just makes sense to ramp up the big brother factor if it means the BAA doesn't have to follow the non-intrusive but universal designs used by every other airport I have ever been through.

The BAA also says the fingerprints will be discarded after 24 hours, unless -- of course -- they are of interest to the police. See: Heathrow airport first to fingerprint - Telegraph. Via the ever vigilant Boing Boing: Heathrow Terminal 5 to fingerprint domestic passengers - Boing Boing.

Friday, March 07, 2008

Assistant Commissioner takes the show on the road

Over the last couple of days, representatives of the Office of the Privacy Commissioner of Canada have had a real blitz through Halifax. Elizabeth Denham, the current Assistant Commissioner responsible for PIPEDA and her predecessor, Heather Black, have been in town as part of an outreach effort to determine what it takes to raise awareness of and compliance with privacy laws in the eastern hinterlands. As part of this, the office has hired a representative who is based in Halifax to lead these outreach efforts.

I had the pleasure of hearing Heather Black speak at Dalhousie Law School on Wednesday night about the genesis and drafting of PIPEDA. It's an interesting story about how we ended up with two pieces of legislation (the Personal Information Protection Act and the Electronic Documents Act) thrown together and how, at the last minute, the proposed bill was changed to go beyond the federally regulated sector.

Yesterday, the Information Technology Industry Alliance of Nova Scotia (of which I'm the Director of Advocacy) hosted a roundtable with representatives of the IT, telecom, health, marketing, retail and small business sectors to talk about why awareness of PIPEDA is so low among consumers and small business, and what can be done to change that. Earlier in the day, they had participated in a fraud prevention forum, also at Dalhousie: Nova Scotia News -

I understand the mission in Halifax continues today ...

Thursday, March 06, 2008

Privacy Commissioners Release New Video Surveillance Guidelines

The Privacy Commissioners of Canada, British Columbia and Alberta today have released Guidelines for Overt Video Surveillance in the Private Sector to help businesses consider privacy matters when deciding whether to and how to implement overt video surveillance. (I wonder whether they'll also produce guidelines on covert surveillance?)

From the media release:

Privacy Commissioners Release New Video Surveillance Guidelines

Privacy Commissioners Release New Video Surveillance Guidelines

OTTAWA, March 6, 2008 — Private-sector organizations considering video surveillance systems must take specific steps to minimize the impact on people’s privacy, say video surveillance guidelines released today.

The new guidelines set out how companies should evaluate the use of video surveillance and ensure any surveillance they undertake is conducted in a way that respects privacy rights and complies with the law.

These guidelines have been endorsed by Jennifer Stoddart, the Privacy Commissioner of Canada, Frank Work, the Information and Privacy Commissioner of Alberta, and David Loukidelis, the Information and Privacy Commissioner for British Columbia.

“We have seen a dramatic increase in the use of surveillance cameras by private-sector organizations. Many of our day-to-day activities are now captured by these cameras,” says Commissioner Stoddart.

“There are some legitimate reasons to conduct video surveillance, but privacy laws in Canada impose restrictions and obligations when, where and how businesses can conduct this kind of surveillance,” says Commissioner Loukidelis.

“These guidelines make it clear that businesses must carefully evaluate why they are installing video surveillance equipment, and what they will do with the information that is collected,” says Commissioner Work.

The Commissioners say it is disturbing to hear stories about video surveillance operators deliberately pointing cameras to ogle women, as well as surveillance images of people caught in unflattering situations finding their way onto video sharing sites like YouTube and Vimeo.

The new guidelines are aimed at businesses subject to the Personal Information Protection and Electronic Documents Act, or PIPEDA. They are also targeted at businesses subject to the provincial Personal Information Protection Acts in Alberta and British Columbia.

The overarching principle for video surveillance – which stems from the key legal test under the federal and provincial laws – is that it should be used only for purposes that a reasonable person would consider appropriate in the circumstances.

The guidelines state that, in order to limit the impact on privacy, cameras should be positioned to avoid capturing the images of people not being targeted (e.g., someone walking outside a store). As well, cameras should not be used in areas where people have a heightened expectation of privacy, such as washrooms, and through building windows.

The guidelines also say:

  • People should be notified about the use of cameras before they enter the premises.
  • Individuals whose images are captured on videotape should, upon request, be given access to this recorded personal information.
  • Organizations must ensure that video surveillance equipment and videotapes are secured and used for authorized purposes only.
  • Individuals who operate video surveillance systems should understand the privacy issues related to surveillance and their obligations under the law.
  • Video surveillance recordings should be retained only as long as necessary and destroyed securely.

The complete guidelines for private-sector organizations are available at, and The Office of the Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner for British Columbia have previously published guidelines for the use of video surveillance in public places by police and law enforcement authorities.

All three privacy commissioners are statutorily mandated to oversee compliance with the Acts and are advocates and guardians of privacy and the protection of personal information rights of Canadians.

Wednesday, March 05, 2008

Federal Commissioner drops greeting card inquiry; political parties beyond reach of privacy legislation

Interesting, but not surprising, development:

CANOE -- CNEWS - Canada: Privacy czar drops Rosh Hashanah inquiry:

"OTTAWA - The federal privacy commissioner has quietly dropped her investigation into complaints that Prime Minister Stephen Harper mailed unsolicited Rosh Hashanah greetings, saying she has no jurisdiction over the matter because political parties fall outside Canada's two privacy laws."

Monday, March 03, 2008

Ontario Commissioner releases detailed report on TTC surveillance cameras

The Information and Privacy Commissioner of Ontario has released an extensive report on the use of video surveillance by the Toronto Transit Commission. The report can be found here: Privacy and Video Surveillance in Mass Transit Systems: A Special Investigation Report - Privacy Investigation Report MC07-68.

From the media release:

TTC’s surveillance cameras comply with privacy Act, but additional steps needed to enhance privacy protection, says Privacy Commissioner Ann Cavoukian

TORONTO – Ontario Information and Privacy Commissioner Ann Cavoukian ruled today that the Toronto Transit System’s expansion of its video surveillance system, for the purposes of public safety and security, is in compliance with Ontario’s Municipal Freedom of Information and Protection of Privacy Act – but she is calling on the TTC to undertake a number of specific steps to enhance privacy protection.

The Commissioner’s office conducted a four-month special investigation that went beyond the scope of the usual privacy investigation conducted in that it included:

  • A detailed review of the literature and analysis from various parts of the world on the effectiveness of video surveillance;
  • An examination of the role that privacy-enhancing technologies can play in mitigating the privacy-invasive nature of video surveillance cameras; and
  • A detailed investigation into a privacy complaint by U.K-based Privacy International about the expansion of the TTC’s video surveillance system.

“Video surveillance presents a difficult subject matter for privacy officials to grapple with impartially because, on its face, it is inherently privacy-invasive due to the potential for data capture – despite that fact, there are legitimate uses for video surveillance … that render it in compliance with our privacy laws,” said the Commissioner. “Mass transit systems like the TTC, that are required to move large volumes of people, in confined spaces, on a daily basis, give rise to unique safety and security issues for the general public and operators of the system.”

“The challenge we thus face is to rein in, as tightly as possible, any potential for the unauthorized deployment of the system. We have attempted to do this by ensuring that strong controls are in place with respect to its governance (policy/procedures), oversight (independent audit, reportable to my office) and, the most promising long-term measure, the introduction of innovative privacy-enhancing technologies to effectively eliminate unauthorized access or use of any personal information obtained.”

While the expectation of privacy in public places is not the same as in private places, it does not disappear. People have the right, the Commissioner stresses in her report, to expect the following when it comes to video surveillance:

  • That their personal information will only be collected for legitimate, limited and specific purposes;
  • That the collection will be limited to the minimum necessary for the specified purposes; and
  • That their personal information will only be used and disclosed for the specified purposes.

“These general principles,” said Commissioner Cavoukian, “should apply to all video surveillance systems. Where developments such as video surveillance in mass transit systems, like the TTC, can be shown to be needed for public safety, you must also ensure that threats to privacy are kept to an absolute minimum.”

Among the 13 recommendations the Commissioner is making to the TTC are the following:

  • That the TTC reduce its retention period for video surveillance images from a maximum of seven days to a maximum of 72 hours (the same standard as the Toronto Police), unless required for an investigation;
  • That the TTC’s video surveillance policy should specifically state that the annual audit must be thorough, comprehensive, and must test all program areas of the TTC employing video surveillance to ensure compliance with the policy and the written procedures. The initial audit should be conducted by an independent third party using Generally Accepted Privacy Principles, and should include an assessment of the extent to which the TTC has complied with the recommendations made in this special report;
  • That the TTC should select a location to evaluate the privacy-enhancing video surveillance technology developed by University of Toronto researchers, K. Martin and K. Plataniotis; and
  • That, prior to providing the police with direct remote access to the video surveillance images, the TTC should amend the draft memorandum of understanding (MOU) with the Toronto Police to require that the logs of disclosures be subjected to regular audits, conducted on behalf of the TTC. A copy of the revised draft MOU should be provided to the Commissioner prior to signing.


The Commissioner devotes part of her 50-page special report, and a specific recommendation, to the area of emerging privacy-enhancing video surveillance technology.

“In light of the growth of surveillance technologies, not to mention the proliferation of biometrics and sensoring devices, the future of privacy may well lie in ensuring that the necessary protections are built right into their design,” said the Commissioner. “Privacy by design may be our ultimate protection in the future, promising a positive sum paradigm instead of the unlikely obliteration of a given technology.”

As an example of the research being conducted into privacy-enhancing technologies, the Commissioner cites the work of researchers Karl Martin and Kostas Plataniotis at the University of Toronto, who used cryptographic techniques to develop a secure object-based coding approach. While the background image captured by a surveillance camera can be viewed, the sections where individuals are caught in the image would automatically be encrypted by the software. Designated staff could monitor the footage for unauthorized activity, but would not be able to identify anyone. Only a limited number of designated officials with the correct encryption key could view the full image.

The Commissioner is recommending that the TTC select a location to evaluate the video surveillance technology developed by Martin and Plataniotis.

A copy of the special report is available on the IPC’s website,

Dilbert on drug testing, etc.

Sunday, March 02, 2008

Court of Appeal considers insured's right of access to IME notes

Last month, the Federal Court of Appeal issued its decision in Wyndowe v. Rousseau, 2008 FCA 39 (CanLII). This case involved an individual's request for access to information generated by a physician hired by his insurer for the purposes of an independent medical examination. At trial, Justice Tietelbaum held the information was "personal information" for the purposes of PIPEDA and that it was not covered by litigation privilege (See Rousseau v. Wyndowe, 2006 FC 1312 (CanLII) and Canadian Privacy Law Blog: FCA grants stay of judge's order for disclosure of personal information). The question of litigation privilege was not appealed.

The Federal Court of Appeal has some interesting things to say about the interplay of the common law and PIPEDA, the definition of personal information, the nature of "commercial activities".

On the question of "commercial activities", the Court was clear that the collection of the applicant's personal information was in the course of commercial activities:

[35] The question is whether the IME transaction was of a “commercial nature”, as defined in section 2. The transaction between Dr. Wyndowe’s corporation and Maritime Life, who was paying for the IME, is of a commercial nature. Mr. Rousseau’s relationship between himself and Maritime Life is also clearly of a commercial nature: it is governed by a contract between Mr. Rousseau and his insurer, where Mr. Rousseau presumably paid some premiums (or his employer paid the premiums as part of Mr. Rousseau’s compensation for employment) and he therefore may or may not be entitled to benefits.

[36] In the context of these two commercial relationships – between Dr. Wyndowe’s corporation and Maritime Life on the one hand and between Mr. Rousseau and Maritime Life on the second hand – I find it hard to believe that by introducing a third relationship – between Dr. Wyndowe and Mr. Rousseau – the commercial nature of the overall transaction is defeated. In my view, Dr. Wyndowe is merely the medical agent of Maritime Life. If Dr. Wyndowe worked as a full time doctor for Maritime life, there would be no question the transaction is commercial; being examined by him would merely be a step which Mr. Rousseau had to follow to collect his benefits. In that sense the examination would be akin to filling out a form required by Maritime Life in order to begin collecting benefits. Just because Dr. Wyndowe is an independent consultant hired by Maritime Life does not change the fact that the overall transaction retains its commercial nature. It also does not change the fact that Mr. Rousseau was only doing what his contract with Maritime Life required him to do to maintain his benefits, i.e. submitting to an IME.

With respect to whether the information is "personal information" of the applicant, the Court concluded it was:

[49] In light of the Privacy Commissioner’s recognition that there are in the notes information which is personal to Mr. Rousseau and information which is not, it may be said that in the end, Mr. Rousseau has a right of access to the information he gave the doctor, and to the final opinion of the doctor in the form of the report to the insurer. In accordance with Principle 4.9.1. of Schedule I to the PIPED Act, this enables Mr. Rousseau to correct any mistakes in the information he gave the doctor or which the doctor noted, as well as any mistakes in the doctor’s reasoned final opinion about his medical condition. But the process of getting to that final opinion from the initial personal information of Mr. Rousseau belongs to the doctor.

[50] This Court, in Canada (Information Commissioner) v. Canada (Minister of Citizenship and Immigration) (above, at para. 8), has recognized that “the same information can be “personal” to more than one individual” (at para. 15). It may well be, in the end, that some information in the notes will be personal to both Mr. Rousseau and Dr. Wyndowe. A balancing exercise similar to that proposed in our ruling in Canada (Information Commissioner) would then need to be performed.

And on the interplay between the common law and PIPEDA:

[26] A) the common law

The appellant first submits that as the PIPED Act does not clearly and unambiguously override the common law respecting the right of access to one’s personal health record, the common law should apply. At common law, as the argument goes, the right to inspect one’s medical records is only recognized where there is a fiduciary relationship between physician and patient (see McInerney v. MacDonald, 1992 CanLII 57 (S.C.C.), [1992] 2 S.C.R. 138. As there is no fiduciary relationship between the insured and the insurer’s doctor performing an IME (see X(Minors) v. Bedfordshire County Council, [1995] 3 All E.R. 353 (H.L.), the insured has no right of access to his medical records.

[27] I am not persuaded that at common law an insured has no right of access to his medical records. In any event, it is my view that the common law should not prevail where the very purpose of the PIPED Act is to provide new privacy protections to Canadians not otherwise enjoyed under the common law.

In the result, the Court of Appeal held that the applicant/insured had a right of access to the notes of the examining physician under PIPEDA.