Monday, June 24, 2013

Canadian federal government needs to get its own privacy house in order

No big surprise, but the Federal Privacy Commissioner, Jennifer Stoddart, has found that the federal government is seriously lacking as far as dealing with data breaches are concerned. Incomplete data produced by the government shows more than 3,000 breaches over ten years, affecting three quarters of a million Canadians. (And I'm sure this is just the tip of the iceberg.)

From the Canadian Press:

Poor data-breach tracking, reporting concerns federal privacy commissioner - Yahoo! News Canada

OTTAWA - Canada's privacy czar has singled out several federal departments for their lacklustre approach to data breaches, citing a need for better reporting, security and tracking protocols.

Privacy commissioner Jennifer Stoddart's office has compiled a preliminary list of agencies with potentially worrisome patterns when it comes to the loss of Canadians' personal information.

The analysis is based on departmental figures tabled in Parliament in April in response to a question from New Democrat MP Charlie Angus. The response indicated there were more than 3,000 data breaches over a 10-year period affecting about 725,000 Canadians.

Upon crunching the numbers, the privacy commissioner identified nine departments and agencies that may lack adequate reporting mechanisms, have faulty security procedures or require improved tracking protocols.

Stoddart's staff cautions that the figures paint a statistical picture but do not shed full light on the kind of data involved in the breaches.

Still, the office says two departments — Fisheries and Oceans and Public Safety — "may lack adequate reporting mechanisms" for alerting the privacy commissioner of a data loss.

Fisheries reported three breaches affecting 73 people between 2002 and 2012. However, for the same period there were actually 12 lapses affecting 4,690 individuals.

None of the 28 breaches that occurred at Public Safety after 2009 was reported, says the privacy commissioner.

"A cursory comparison between institutions indicates that they do not seem to have a consistent method for reporting breaches," say notes prepared by Stoddart's office. "Some systematically report breaches, others almost never."

Institutions that "may have systematic issues in safeguard and security protocols" are Citizenship and Immigration, Passport Canada, the Correctional Service, the RCMP, the Parole Board and Veterans Affairs.

Citizenship and Immigration had 161 breaches in 2012 alone, while the passport office had 131 incidents in 2011-12, said the commissioner.

Finally, the Canada Revenue Agency was not able to present any data, suggesting a "deficiency in tracking and auditing."

The difficulty with federal data breaches is not new, Stoddart said in an interview. "We know it's a systemic problem. We've seen it for years," she said. "So I think a positive action on the part of the government to strengthen education about it, prevention, followup and so on, would be the way to go."

The commissioner's office points out that while the federal Treasury Board has published guidelines for privacy breaches, they simply recommend — not require — that institutions notify the commissioner of certain kinds of breaches.

They include ones that involve sensitive personal data such as financial or medical information, can result in identity theft, or might otherwise harm or embarrass a person, damaging their career, reputation or well-being.

"Conversely, this means that there are a number of breaches that are not deemed to be serious enough to warrant notification to our office," say the notes. "We can presume that this may partially explain the vast number of unreported breaches."

During a recent meeting, Stoddart urged Treasury Board President Tony Clement to amend the privacy law to make reporting of federal data losses mandatory.

"It was a very positive meeting," Stoddart said. "Minister Clement seemed very concerned about the question of data and very interested in ways of strengthening data breach awareness, I'd say, and proactive work to minimize data breaches."

However, she said Clement "made no commitments" about enshrining mandatory reporting. Andrea Mandel-Campbell, a spokeswoman for Clement, said Monday that the minister is taking Stoddart's comments "under consideration."

Angus says a "complete overhaul" of reporting procedures is needed. "Every breach must be reported to the privacy commissioner," he said Monday.

Government must also ensure Stoddart's office has the resources to investigate lapses and powers to effectively police both federal agencies and private companies that lose data, he said.

"She has to have the tools that she needs to protect privacy."

After Human Resources and Skills Development lost the personal information of more than half a million people who took out student loans, Angus's NDP colleague, digital issues critic Charmaine Borg, tabled a motion in February requesting a House of Commons committee study mandatory breach notification. It was defeated.

Monday, June 10, 2013

Canadian Treasury Board sets new privacy breach notification policy, but only for itself

This is interesting: The organization in the Canadian federal government -- the Treasury Board -- which sets the IT and privacy policies for the entire government is implementing a privacy breach notification policy only for itself. Treasury Board will soon have to report any privacy breaches to the Privacy Commissioner, but other departments will still be able to set their own policies, according to the Ottawa Citizen: Under new policy Treasury Board will be required to report every data breach to privacy commissioner.

It's a start, but still a bit of a head scratcher.

Don't forget that Canada is in the national security / surveillance business as well

For those Canadians whose eyes have been focused south of the border over the past few days, following the revelation of the Verizon court order and speculation about the PRISM program, it's worth remembering that Canada is in the national security / surveillance business as well.

Canada has a "Canada Patriot Act" in the form of the Anti-Terrorism Act, which amended the CSIS Act and the National Defence Act (read Part V.1). Canada has an equivalent of the American Foreign Intelligence Surveillance Court, established under the CSIS Act. In addition, Canada's Communications Security Establishment is part of the Five Eyes signals intelligence community.

This article from today's Globe & Mail is worth a read, as it lays out Canada's own "metadata collection": Data-collection program got green light from MacKay in 2011 - The Globe and Mail.

Michael Geist has a great overview of this topic in his recent post "Why Canadians should be demanding answers about secret surveillance programs".

Thursday, June 06, 2013

BC Court finds that former employer is primarily responsible for patient records, not the departing therapist

In an interesting case from British Columbia (Synergy Counselling v. Dunvegan Enterprises, 2013 BCPC 101 (CanLII)) involving a dispute between a therapist and her employer, the Provincial Court had an opportunity to consider who has primary responsibility under the Personal Information Protection Act for patient files.

The therapist was an employee of the company and asserted she had primary responsibility for the patient files due to the patient-therapist relationship. The Court took a different view, which generally affirms the prevailing view that when a person is employed to provide healthcare services to others, the employer is the primary custodian of the resulting records:

[104] The Defendant expressed the view that the Claimant took the files for an improper purpose and that it was part of the Claimant’s attempt to “steal” a counselling practice from the Defendant.

[105] Both parties asserted a primary responsibility for the protection of personal information contained in the files under the provisions of the Personal Information Protection Act, [SBC 2003] Ch. 63. Both parties referred to provisions in the Act.

[106] The purpose of the Act is found in s. 2:

2 The purpose of this Act is to govern the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of individuals to protect their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

[107] Sections 4 and 34 provide as follows:

4 (1) In meeting its responsibilities under this Act, an organization must consider what a reasonable person would consider appropriate in the circumstances.

(2) An organization is responsible for personal information under its control, including personal information that is not in the custody of the organization. ….

34 An organization must protect personal information in its custody or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks.

[108] The Act requires that organizations exercise reasonable care in fulfilling their obligations with respect to the protection of personal information under their control. The Act, however, does not assist in determining who, in these circumstances, should exercise that control.

[109] In McInerney v. MacDonald 1992 CanLII 57 (SCC), [1992] 2 S.C.R. 138 the Supreme Court of Canada affirmed the common law position that although a medical file itself may be owned by a physician, the patient has a continuing equitable interest in the medical information contained within it. A patient, as a general rule, is entitled to access the medical information in her records and to inspect and copy that information. This broad principle will have application to other clinical records, such as the counselling records concerned here.

[110] It seems clear that clients who attended the KCT offices to obtain counselling services, signed KCT file opening documents, paid accounts rendered to them by KCT and received KCT receipts, no doubt understood themselves to be clients of KCT rather than of the particular counsellor they saw. These clients would reasonably have expected that their files would remain within the KCT offices or otherwise under KCT control unless other arrangements had been agreed.

[111] I’m satisfied that these client files properly belonged to KCT and not to the individual therapist, notwithstanding the therapist’s obligation to hold information in confidence. That personal undertaking did not by itself confer ownership or a right to permanent possession of the file by the therapist concerned.

[112] As for the requirements of the Personal Information Protection Act, there is no suggestion that the Defendant was not meeting its obligations under the Act. On the assumption that the Claimant and Ms. Schell also had obligations under the Act, those obligations would have been reasonably discharged by leaving the KCT files in the custody and control of their owner, the Defendant.

[113] In the absence of any agreement between the parties or their clients regarding file storage, there will be an order that all files removed from KCT offices by the Claimant shall be returned to KCT, provided that the Claimant may retain the files of those KCT clients who have since become clients of Synergy or who have otherwise requested in writing that Synergy maintain their records.

Privacy Commissioner of Canada tables annual report on private sector privacy law

The Privacy Commissioner of Canada has today tabled her annual report to Parliament on the private sector privacy law that she oversees. The report can be found here: Annual Report to Parliament 2012 - Report on the Personal Information Protection and Electronic Documents Act.

Here's her media release:

Privacy Commissioner stresses significance of online reputation and business accountability in digital age

Annual report tells tales of rental laptops that spied on users, the response to a teen smeared by a social network imposter and a dating site that left sensitive health data vulnerable.

OTTAWA, June 6, 2013 – Privacy Commissioner Jennifer Stoddart today released the Office of the Privacy Commissioner’s (OPC) annual report on the Personal Information Protection and Electronic Documents Act (PIPEDA) for 2012, which details investigations affecting individual online reputation and the growing importance of organizational accountability. This is the Commissioner’s last PIPEDA annual report before the end of her mandate and it underlines the need for changes to the law to bring it up to speed with today’s rapidly changing, digitally driven times.

“As in previous years, our annual report outlines some significant achievements as investigations led to improved privacy practices among businesses,” said Commissioner Stoddart.

“Such changes, however, often came only after long investigative and follow-up processes, and therefore at significant costs. Canadians would be better served by a law that motivates organizations to put privacy considerations up front, rather than the current situation where we’re left to trigger a mop-up after privacy is violated.”

Leering laptops

The report details the outcome of a Commissioner-initiated complaint against a Canadian franchisee of rent-to-own company Aaron’s Inc. “Detective Mode” software was installed onto its rented laptops, enabling the collection of data, including key strokes, screen shots and web cam photos without user knowledge.

While installing the software was intended to recover lost or stolen laptops, the OPC found that the extreme measure wasn’t justified, given the egregious and disproportionate loss of privacy for its clients. The franchisee agreed to delete what the software collected, and the company committed to never again using this type of tool.

Facebook fakery

This year’s report also includes the story of a teen whose reputation was imperiled by a fake Facebook account being set up in her name. She was not a Facebook member, but many of her real life friends were. They “friended” the impostor account and then received a barrage of inappropriate comments.

The teen’s mother complained to the OPC and demanded Facebook delete the account. Upon determining the account was indeed a fake, the company promptly deleted it. The teen’s reputation though remained at risk as those who had been “friended” by the account were not notified of it being a fake. As a result following negotiations with the OPC, Facebook agreed to implement a new process moving forward to help non-users notify individuals “friended” by imposter accounts.

Information on singles with STDs unprotected

The report also details our investigation into complaints by members of a dating web site for people with sexually transmitted diseases called They alleged that, unbeknownst to them, their profiles, including personal information detailing their individual health status, were stored in a database accessible by a wider network of affiliated sites. The investigation concluded that PositiveSingles and its parent company, SuccessfulMatch, failed to openly and clearly explain to prospective members how and to whom their personal information would be visible and disclosed. SuccessfulMatch then made changes to the web site to make its information handling practices more transparent, including informing prospective members of the broad visibility of profiles at the point of registration.

Overall, 2012 saw 220 complaints accepted by the OPC, down from 281 the previous year. The OPC also completed 145 formal investigations in 2012, marking a 21-percent increase from the year before, while also realising a 12-percent reduction in the time it took to resolve formal investigations.