Sunday, September 27, 2009

Privacy Commissioner releases study of six social networking sites

The Privacy Commissioner of Canada has posted a study of the privacy practices of six social networking sites. The report was written by Jennifer Barrigar and delivered in February 2009. I suppose it took that long to translate into both official languages. See: Social Network Site Privacy: A Comparative Analysis of Six Sites - February 2009.

Via Michael Geist.

Friday, September 25, 2009

Nova Scotia significantly amends public sector privacy law

Nova Scotia has just given the privacy provisions of FOIPOP some teeth with the passage of the Privacy Review Officer Act:

New Privacy Act Proclaimed News Releases Government of Nova Scotia

Department of Justice

September 25, 2009 10:34 AM

Personal information will be more secure under the Privacy Review Officer Act that takes effect today, Sept. 25.

The new act provides authority to a review officer to investigate breaches of privacy when people and organizations are not satisfied with how information shared with government or public bodies such as hospitals, universities and school boards is handled.

"This act demonstrates government's commitment to the security and safety of the personal information Nova Scotians entrust to their public bodies," said Justice Minister Ross Landry.

The government has appointed Freedom of Information Review Officer Dulcie McCallum, to this new position. A former ombudsman for the Province of British Columbia, Ms. McCallum was appointed the Freedom of Information Review Officer in 2007 for a five-year term.

Nova Scotia joins all other Canadian provinces and the federal government which have some kind of legislative authority for external review or oversight.

Privacy Commissioner to look into pollster's use of gun registry info

There is a fuss brewing in some circles about the RCMP hiring a polling firm to survey gun owners about the national firearms registry. The issue is that personal information about gun owners has been transferred to EKOS research.

I don't see the problem here, as long as EKOS is trustworthy and there is a robust agreement between the RCMP and EKOS. Government departments (and businesses) have to, from time to time, hire consultants to do specialized work that involves personal information. As long as that work is not inconsistent with the purposes for which the information was originally collected, I don't see an invasion of privacy.

See: CBC News - Canada - Pollster's use of gun registry details to be reviewed.

Wednesday, September 23, 2009

Facebook shuts down Beacon marketing tool

As part of a settlement of a large class-action lawsuit in California, Facebook has agreed to completely shut down its "Beacon" feature, which connects users' activites outside of Facebook to the users' profiles. See: Facebook shuts down Beacon marketing tool Sync.

Beacon was one of many high-profile privacy missteps taken by Facebook over its relatively short history. I've always thought that Facebook is a bit of a game-changer and has had to blaze its own trail through uncharted territory. While mistakes happen, it has been remarkable that Facebook has not been more open to its users by giving advance warning about significant changes and the simple use of "opt in" for features that are inherently intrusive.

This underscores the theory that privacy is, in large measure, about meeting users' expectations. If users are surprised by the use of their information, they get upset. If you tell users how you propose to use their information and give them control over that, they're generally fine with it. It's just that simple.

Friday, September 11, 2009

CATSA orders invasive body scanners for Canadian airports

According to the Edmonton Sun, the Canadian Air Transport Security Authority is ordering seven whole body scanners for use in airports. The scanners are controversial because they result in a "virtual strip search" so that the operator is able to make out the details of the passenger's body and supposedly anything that the person may be hiding under his or her clothes. The passenger's bits and pieces are clearly visible, and the manufacturer has special software that can be installed to blur the passenger's genital region (on the screen, not in real life). But CATSA has declined to order or install the blurring software, saying that if the nether region are blurred, it would be possible for bad guys to hide stuff in that area. See: Green light for scanners Canada News Edmonton Sun.

Thursday, September 10, 2009

Privacy Commissioners call for reconsideration of expanded surveillance powers

The federal, provincial and territorial Privacy Commissioners meeting together in St. John's have issued a statement calling for "caution" on the expansion of investigative powers proposed by the conservative government.

They issued the following media release, referring to resolutions available on the federal Commissioner's website:

Privacy commissioners urge caution on expanded surveillance plan

ST. JOHN'S, Sept. 10 /CNW Telbec/ - Parliament should take a cautious approach to legislative proposals to create an expanded surveillance regime that would have serious repercussions for privacy rights, say Canada's privacy guardians.

Privacy commissioners and ombudspersons from across the country issued a joint resolution today urging Parliamentarians to ensure there is a clear and demonstrable need to expand the investigative powers available to law enforcement and national security agencies to acquire digital evidence.

The federal government has introduced two bills aimed at ensuring that all wireless, Internet and other telecommunications companies allow for surveillance of communications, and comply with government agency demands for subscriber data - even without judicial authorization.

"Canadians put a high value on the privacy, confidentiality and security of their personal communications and our courts have also accorded a high expectation of privacy to such communications," says Jennifer Stoddart, the Privacy Commissioner of Canada.

"The current proposal will give police authorities unprecedented access to Canadians' personal information," the Commissioner says.

The resolution is the product of the semi-annual meeting of Canada's privacy commissioners and ombudspersons from federal, provincial and territorial jurisdictions across Canada, being held in St. John's.

The commissioners unanimously expressed concern about the privacy implications related to Bill C-46, the Investigative Powers for the 21st Century Act and Bill C-47, the Technical Assistance for Law Enforcement in the 21st Century Act. Both bills were introduced in June.

"We feel that the existing legal regime governing interception of communications - set out in the Criminal Code and carefully constructed by government and Parliament over the decades - does protect the rights of Canadians very well," says Ed Ring, the Information and Privacy Commissioner for Newfoundland and Labrador and host of the meeting.

"The government has not yet provided compelling evidence to demonstrate the need for new powers that would threaten that careful balance between individual privacy and the legitimate needs of law enforcement and national security agencies."

The resolution states that, should Parliament determine that an expanded surveillance regime is essential, it must ensure any legislative proposals:

  • Are minimally intrusive;
  • Impose limits on the use of new powers;
  • Require that draft regulations be reviewed publicly before coming into force;
  • Include effective oversight;
  • Provide for regular public reporting on the use of powers; and
  • Include a five-year Parliamentary review.

At the meeting in St. John's, the commissioners and ombudspersons also passed a resolution about the need to protect personal information contained in online personal health records.

The resolution emphasizes the importance of empowering patients to control how their own health information is used and shared. For example, it calls for developers of personal health records to allow patients to gain access to their own health information, set rules about who else has access, and to receive alerts in the event of a breach.

"Personal health records have the potential to deliver significant benefits for patients and their health care providers. However, given the highly sensitive personal information involved, developers need to ensure they build in the highest privacy standards," says Commissioner Ring.

Both resolutions are available on the Privacy Commissioner of Canada's website,

The resolutions are here:

Wednesday, September 02, 2009

IPC issues advice on the "circle of care" under PHIPA

The Information and Privacy Commissioner of Ontario has released written guidance on the "circle of care" under that province's Personal Health Information Protection Act, entitled Circle of Care: Sharing Personal Health Information for Health-Care Purposes.

Here's the news release:

Privacy Commissioner Cavoukian and seven health organizations team up to eliminate confusion over key element of health privacy law

TORONTO, Sept. 2 /CNW/ - Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, today released a new publication that includes specific practical examples to help clarify any confusion over when health information custodians can assume a patient's implied consent to collect, use or disclose personal health information.

The brochure, Circle of Care: Sharing Personal Health Information for Health-Care Purposes, was developed with the collaboration of seven health organizations. "This brochure cuts through the confusion surrounding the term circle of care," said the Commissioner. "We are using seven relevant examples from across the broader continuum of the health sector to provide such clarification."

"There had been some confusion in the health sector as to the meaning and scope of the circle of care concept," explained Commissioner Cavoukian. "In part, this may have been because the term does not appear in the Personal Health Information Protection Act, 2004. It is, however, commonly used in the health-care community to describe the provisions in the Act that permit health-care providers to assume a patient's implied consent to collect and use personal health information - and to share that information with other health-care providers - in order to provide health care to that patient, unless the patient expressly indicates otherwise."

The Act is based on the premise that privacy can be protected, without needless delays in the health system.

"Overall, the Act is working very well, but clarity needed to be brought to bear on the circle of care concept," said Commissioner Cavoukian.

The seven examples in the brochure address this. As a fictional 61-year-old patient is followed through much of the health-care system, the examples provide specific guidance relating to when a health provider can assume implied consent.

The seven health organizations that worked with the IPC include (in alphabetical order): the College of Physicians and Surgeons, the Ontario Association of Community Care Access Centres, the Ontario Association of Non-Profit Homes and Services for Seniors, the Ontario Hospital Association, the Ontario Long Term Care Association, the Ontario Medical Association and the Ontario Ministry of Health and Long-Term Care.

Here is a condensed version of one of the examples used in the brochure:

A patient is sent by his family doctor to a laboratory for blood and urine testing. A geriatrician, a specialist whom the patient has been referred to by his family doctor, would like to obtain the results of those tests. He would also like to obtain a list of the patient's current prescriptions from the pharmacy where he fills all his prescriptions.

Can the laboratory and pharmacy disclose this personal health information and can the geriatrician collect information based on assumed implied consent?

Yes. The laboratory, pharmacy and geriatrician may assume implied consent. The personal health information was received by the laboratory and pharmacy - and will be received by the geriatrician - for the purpose of providing health care to this patient.

"Personal health information may be shared within the circle of care - among health-care providers who are providing health care to a specific patient - but not outside that circle," stressed Commissioner Cavoukian. "Any sharing of personal health information with other health-care providers for purposes other than the provision of health care - or the sharing of personal health information with persons or organizations that are not health-care providers, such as insurers and employers - requires the express consent of the patient."

To see a copy of the brochure, visit