Saturday, January 31, 2004

Release - Federal, British Columbia and Alberta Commissioners Working Together to Ensure Seamless Privacy Protection in the Private Sector

News Release - January 26, 2004 - Office of the Privacy Commissioner of Canada: Federal, British Columbia and Alberta commissioners working together to ensure seamless privacy protection in the private sector

"Ottawa, January 26, 2004 - The Privacy Commissioner of Canada, Jennifer Stoddart, the Information and Privacy Commissioner of British Columbia, David Loukidelis, and the Information and Privacy Commissioner of Alberta, Frank Work, today announced that they will be working cooperatively to develop a harmonized approach to dealing with privacy complaints in the private sector.

All three jurisdictions face new responsibilities with the coming into force on January 1, 2004 of their respective private sector privacy laws. Last week, Ms. Stoddart, Mr. Loukidelis and Mr. Work met in Ottawa to begin working out an understanding for administering their respective laws and to begin developing fair, consistent and clear rules of enforcement, which will help to eliminate any confusion regarding jurisdiction. "

Article: Companies and Consumers Clash on Privacy Issues

Here is some coverage of the Accenture survey (reported on in a previous post) from destinationCRM.com: Companies and Consumers Clash on Privacy Issues:

"Although the majority of businesses were found to underestimate the importance of their privacy policies and think they are unlikely to influence consumer perception, 51 percent of consumers surveyed said they avoid dealing with companies whose privacy policies make them uncomfortable. Simultaneously, consumers overestimated the amount of personal information that companies are legally allowed to collect about them, although businesses did admit to collecting some data to which they believe they are not entitled. "

Friday, January 30, 2004

Study: Wide Chasm Exists Between U.S. Businesses and Consumers Regarding Privacy and Trust Related to Personal Data

Thanks to beSpacific for the link to the following study from Accenture:

"Accenture Study Reveals Wide Chasm Exists Between U.S. Businesses and Consumers Regarding Privacy and Trust Related to Personal Data
Findings Point to Opportunity for Businesses to Build Trusted Relationships with Customers

NEW YORK; Jan. 27, 2004 - Fear of inadequate protection of personal data has compelled half of consumers to reject or cancel doing business with a company. This is just one of several findings of a survey of U.S. consumers and businesses on privacy, trust and access to personal data released today by Accenture. "

Interesting study, but the usual disclaimers apply.

Incident: Hackers may have accessed personal info for 20,000 Georgia students

Mercury News | 01/29/2004 | Hackers may have accessed personal info for 20,000 Georgia students: "Hackers may have accessed personal info for 20,000 Georgia students"

CNN.com - Hackers breach university server - Jan. 30, 2004: "ATHENS, Georgia (AP) -- Federal and state authorities are investigating whether hackers gained access to Social Security and credit card numbers of 31,000 University of Georgia students and applicants, officials said Thursday. "

Thursday, January 29, 2004

Sorry, but implementing privacy laws may upset some customers.

New laws, such as Alberta's new privacy law, often cause disruptions. There's a letter in the Edmonton Journal from an Epcor customer who is irate that she was not able to get information about her bill without her husband's OK. It appears that the account is in his name and EPCOR now has a policy that they won't give out information without the OK of the person whose name is on the account. I guess that seventeen years ago, when the account was opened, it didn't make any sense to put both names on it. More current practice that I've seen for new accounts is to ask the customer if they want an other person to have access to the account information. At least that was the case when I last set up an account with Aliant, my local phone company.

I have some sympathy for the writer of the angry letter:

"When I gave her my name she told me that due to the new provincial legislation regarding privacy and the disclosure of information to third parties, she could not talk to me. My husband was not at home at the time. I asked to speak to a supervisor and was given the same information.

I am livid. This account was established 17 years ago when we moved into our home and in fact our account is on Epcor's authorized payment withdrawal plan (we have a joint bank account).

The supervisor informed me that while we may have a joint account she still cannot talk to me. My husband would have to call Epcor and authorize them to add my name as a contact for our account! When he did call, they asked him for his date of birth for verification purposes. Turns out they have my date of birth on file.

I do not believe Epcor's practice is in the spirit of the new legislation. In fact, I called Shaw earlier this week where the account is also in my husband's name and had no problem talking with customer service about my account. "

While I may have some sympathy for her, the company in question is between a rock and a hard place, and it is better to err on the side of caution. They can't really rely on implied consent in this case, but one call from her husband should fix it.

I'm sure customers would be equally livid if they went through the experience of the guy in Missisauga Ontario whose ex-spouse received his cell-phone details without his consent, which were subsequently used against him and his mistress. (I can't find any other info on the story since the National Post took the September 27, 2003 story offline.) Philandering spouses usually don't get much sympathy, but the phone company was clearly in the wrong. It wouldn't take much imagination to imagine what sort of damage such a disclosure might have caused if it the records at issue were the calls made by an abused wife and the phone company had released records to an abusive spouse. Anybody thinking about what to do about releasing personal information really needs to weigh the inconvenience factor against the worst-case risk of harm. In light of the unfortunately reality out there, businesses really need to avoid accidentally giving the wrong people the tools to stalk, steal identities and commit violence. Unfortunately, nobody becomes aware of the disasters avoided.

Wednesday, January 28, 2004

"PIPEDA compliant" software

I am often perplexed by press releases and marketing speak that suggest that a piece of software can make your business "PIPEDA compliant" or "privacy compliant". I just came across the following (names are changed so that I'm not singling anyone out):

"XXXX upgrades e-mail marketing product

E-mail marketing service provider XXXX has released version XXXX of its e-mail marketing product, XXXX. The new release includes an improved spam-checker feature, certified compliance in support of Canada's new privacy law (PIPEDA) and significantly enhanced reporting capabilities."

What the heck does "certified compliance" mean? I looked at the company website and there was no certificate from anyone other than a web-seal of their privacy policy. No suggestion that their product has been certified as PIPEDA A-OK. I'm curious if my shoe can be "certified privacy compliant" since it doesn't collect, use or disclose personal information without written opt-in consent. The part that is particularly confusing in this release is the fact that their e-mail product includes what appear to be intrusive "enhanced reporting capabilities":

"Features of the improved reporting system include visual link tracking report (with colour-coding, marketers can now see where e-mail recipients have clicked in a visual representation of the actual e-mail that was sent) and drill-down reporting (all reports in the XXXX system now link e-mail addresses to a profile of that individual)."

Not only is privacy not a technology problem with a technology solution, it appears that an intrusive product that collects personal information without the individual's knowledge is being dressed up a privacy-friendly. Buyer beware!

Article: Ontario Privacy chief criticizes limits to health records

London Free Press: News Section - Privacy chief criticizes limits to health records:

"Privacy chief criticizes limits to health records
Ontario's information and privacy office called proposed legislation insulting and flawed.

TORONTO -- Forcing Ontario's information and privacy office to obtain warrants to ontain patient's medical records is a serious and insulting flaw in proposed legislation to protect the personal health information of individuals, says commissioner Ann Cavoukian. 'I am truly baffled. It makes no sense,' Cavoukian told reporters yesterday after appearing before a legislative committee studying the proposed bill. "

Tuesday, January 27, 2004

Conference: Securing Privacy in the Internet Age

Stanford's upcoming conference: Securing Privacy in the Internet Age:

A Stanford Law School Symposium: Securing Privacy in the Internet Age

What legal regimes or market initiatives would best prevent the unauthorized disclosure of private information while also promoting business innovation?

March 13-14 2004
Stanford Law School

As individuals do more – shopping, talking, working – on-line, they leave private information behind in databases stored on Internet-connected servers. Companies store proprietary data on networked servers connected to the Internet. Computer security experts struggle to develop technology and best practices to protect this information from unauthorized intruders or inadvertent leaks. Are private initiatives sufficient to protect private and confidential information, or should the law allocate the responsibility of keeping the server secure, and if so, on whom? And will the imposition of this legal and economic burden impede further exponential advances like those the computer industry has made in the past decade?

The Law, Science and Technology Program (LST) and the Center for Internet and Society (CIS) at Stanford Law School invite you to join us at a symposium where the speakers will present papers that address the ways in which application of various legal doctrines could induce software vendors, hardware companies and system administrators to adopt security-enhancing practices, report unauthorized disclosures of private information, properly value and remedy harm flowing from privacy breaches, while promoting vigorous competition and innovation.

Article: Microsoft, IBM, Philips to back RFID tracking technology

IDG.com.sg - Microsoft, IBM, Philips to back RFID tracking technology:

"'2004 is going to be a real crazy year for RFID,' said Evelien Vredeveld, IBM's worldwide RFID leader. 'Last year there was a lot of concern about privacy issues with RFID but this year, I think consumers will begin to learn the many benefits of the technology.' For example, if a product with the RFID tag breaks and needs to be returned to the store, the consumer won't need a receipt as all of that information will be part of the tag's data. "

Monday, January 26, 2004

Article: New call for cab cams

New call for cab cams:

VANCOUVER - The manager of a Vancouver taxi company is renewing his call for cameras in cabs, to protect drivers.

John Palis says there have been three vicious assaults on drivers in the past month, with the most recent attack just last Thursday.

A driver with Yellow Cabs was so badly beaten, he ended up in the intensive care ward at Vancouver General Hospital.

'I think that taxi drivers are vulnerable, because for one thing, for criminal or desperate criminals they're a quick source of cash,' he says.

Palis says cameras in cabs in Toronto and Winnipeg prevent assaults.

B.C.'s Information and Privacy Commissioner has expressed concern over the cameras, and has suggested that plastic shields might be a better solution. "

Article: Let Common Sense Guide Privacy Rules > January 26, 2004

InformationWeek : Bob Evans : Business Technology: Let Common Sense Guide Privacy Rules : January 26, 2004:

"Is your company devoting enough time, energy, and executive-level advocacy to issues relating to privacy? The ramifications, repercussions, rationale, and reasonableness of your company's policies toward consumer data? Do legitimate situations ever arise that call for information about your customers to be shared with law-enforcement agencies, the federal government, or--imagine this--even your customers themselves?

Are you prepared enough to address some of the most bizarre, logic-twisting scenarios you can imagine? Are you and your colleagues and your partners fully aware of the positions taken by the extreme ends of the thinking on the privacy spectrum so that you can be prepared to handle the extreme outcries they're sure to raise should you do something that you might think is right but that they feel is wrong? "

Article: Inuvik security cams not Big Brother, inisists mayor

CBC North | News:

"'Nobody'll be sitting there monitoring them all the time,' he says. 'They will... be digitally recorded. If people want to look at it or go back and look at certain sections of it they can.'"

Article: Lawyers weigh privacy act

Today's Globe and Mail has an article on the difficulty that lawyers have in implementing PIPEDA in their own practices.

"Like other private businesses, law firms across Canada are now subject to Ottawa's personal information and privacy legislation. However, even lawyers are stumped by some requirements of the law."

And it quotes a good friend, Jenny Gray:

Jennifer Gray, an associate lawyer with Patterson Palmer in Halifax, says "we are doing largely the same thing for many clients as we are for the firm: understanding the legislation, developing privacy compliance policies and procedures, and looking at all our obligations."

While Ms. Gray thinks the legislation may be less onerous for law firms -- which are already responsible for the "caretaking" of client information -- she cites a lack of clarity in the law. "Given its newness for the private sector, the legislation has not been interpreted by the courts, so it is difficult to put policies and procedures in place when we don't know what position the Privacy Commissioner might take in any given circumstance."

Sunday, January 25, 2004

ACLU and California Library Association Launches Campaign to Take Action Against the Patriot Act and Restore Constitutional Rights

ACLU and California Library Association Launches Campaign to Take Action Against the Patriot Act and Restore Constitutional Rights - Most of my comments and musings here are about private sector privacy in Canada, but I just felt compelled to link to a new privacy-related ad from the US ACLU:

Don't you hate it when someone reads over your shoulder? Especially when that someone is the Justice Department.

Article: Swiping driver's licenses - instant marketing lists?

A little while ago, I wrote about biometrics on drivers licenses and particularly referred to the practice of swiping driver's licenses (below). Debora Pierce, who regularly writes on law and technology issues in the Seattle Press, has an article on the topic that I just found: The Seattle Press - LAW&TECHNOLOGY: Swiping driver's licenses - instant marketing lists?:

"IN AN effort to cut down on underage drinking and smoking, many bars, clubs, and restaurants have begun to use devices that scan driver's licenses. In addition to verifying the age of the driver's license holder, the scanner also picks up all of the information in the magnetic stripe found on the backs of most driver's licenses. The obvious benefit is that underage drinking and smoking is curtailed, but that benefit comes at a price. Here is another case where technology has outpaced the law, and the casualty is privacy. "

I would suggest that the automatic swiping of driver's licenses at bars is very likely in violation of the law here in Canada. The federal privacy law, PIPEDA, requires knowledge and consent for the collection, use or disclosure of personal information. From what I understand, individuals are not being informed about why their cards are being swiped and how that information will be used. There is no "identifying Purposes", as required by Principle II. Individuals are not being given the opportunity to consent, let alone being asked to consent. If a bar refuses admission because you refuse to have your personal information harvested, they are in violation of the following sub-principles:

4.3.2 - The principle requires "knowledge and consent". Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.

4.3.3 - An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill the explicitly specified, and legitimate purposes.

If the collection is supposed to be to verify that the license has not been tampered with, it probably still amounts to a violation of Principle 4 - Limiting Collection because much more information is collected and used than is necessary for that particular purpose:

The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

The Federal Privacy Commissioner hasn't, as far as I know, had a complaint about this practice but I am sure it is not too far off.

Article: Online Privacy Policies Misleading

CRM Daily is reporting on a study I commented on a little while ago (see below). The study, by Michigan State University researchers, suggests that websites using the leading "privacy seals", such as TRUSTe, collect more personal information and protect is less than sites that don't use the seals, lulling useres into a false sense of security.

Enterprise Security Today (Online Security): Online Privacy Policies Misleading: "Companies use privacy policies not just to inform customers but also to persuade them to yield personal information despite lax privacy-protection measures -- which could harm them in the long run. 'Our findings suggest that the Federal Trade Commission's current self-regulatory policy is insufficient,' says researcher Nora Rifon."

Article: Privacy Traded for Discounts

Hartford Courant: Privacy Traded For Discounts: Apparently the Hartford (Connecticut) Courant has an article on intrusive customer loyalty programs. At least that's what I gleaned from the Google summary (below). I never read the full text because I didn't want to fill out the intrusive Courant registration form:

Privacy Traded For Discounts
Hartford Courant (subscription), CT - 3 hours ago
... Give a company only basic personal information, such as name and address.
Never give out your Social Security or bank account numbers. ...

Incident: Computer containing airline ticketing info stolen

Computer containing airline ticketing info stolen - Computerworld

"JANUARY 14, 2004 ( COMPUTERWORLD ) - Airlines Reporting Corp. (ARC), an airline-owned financial transaction processing company, said yesterday that two computers, one of which contained airline ticketing data, have been stolen. "

Friday, January 23, 2004

Findings: New findings issued by the Office of the Privacy Commissioner

Commissioner's Findings - Privacy Commissioner of Canada - For the first time in quite a while, the Office of the Privacy Commissioner has issued a new batch of findings (and when I say "new", it only means newly-released because they all date from August through September of last year):

Thanks: Internet Legal Research Weekly

Thanks to Tom Mighell for linking to this Blog in the January 18 edition of the Internet Legal Research Weekly:

"Blawgs of the Week
It has been awhile since I've discussed the new law-related weblogs I have come across. Here are a few: Lawyers Don't Get It is a new blawg from a New York lawyer, who believes (quite rightly) the practice of law would greatly benefit from the intelligent application of information technology. At word of blog, Debbi Mack compiles "legal news and resources for writers, editors, musicians, artists, and other communicators." From up north comes Canadian Privacy Law, where lawyer David Fraser publishes developments in privacy law and information related to the Personal Information Protection and Electronic Documents Act. Susan Bird has been practicing environmental law with the Department of Defense since 1989. She shares her experiences along with news for federal agency environmental lawyers over at Cumulative Impacts.

Wednesday, January 21, 2004

Article: ZDNet UK - Does your data belong to you?

ZDNet UK - Comment - Does your data belong to you? - ZDNet in the UK has a general commentary piece that includes the Privacy Commissioner of Australia's view of retail use of RFID:

Malcolm Crompton, Australia's Privacy Commissioner, told ZDNet Australia's James Pearce that if incorrectly implemented, RFID could be a big problem.

It's a post-sale concern -- the use of these tags along the supply chain to point of sale wasn't the issue. It's what happens after that, said Crompton. Although he conceded that RFID technology was not inherently bad, he said that individuals and companies in the United States considering collecting data after the point of sale was a cause for concern.

But the Commissioner is confident that the Privacy Act does provide a stable framework for deploying RFID technology.

Tuesday, January 20, 2004

Article: Life of PI

You've got to hand it to ITBusiness. They've done a great job of covering the implementation of PIPEDA, with regular articles that deal with different aspects of the law. In the article entitled Life of PI, Shane Schick considers the difficulties being faced by organizations thanks to the shades of grey in the Act.

Unlike most statutes, PIPEDA has little to do with rules. It is really a collection of principles. Coming from the Canadian Standards Association Model Code for the Protection of Personal Information, it was originally drafted to be voluntary best practices to be adopted by companies. Of course, they'd adopt it for their particular business, since it was drafted to be industry neutral. Moving from best practices to law is difficult for some to handle. Most people are used to laws being relatively black and white. "You can do this and you can't do that." Instead, PIPEDA confuses people by saying things like:

The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.

The form of consent shall be commensurate with the sensitivity of the information. An example of what is "sensitive" is provided. But wait! It says any information can be sensitive depending upon the circumstances. Ok. It looks like it means the more sensitive it is, the more certain you must be that consent is informed consent and the more certain you have to be that you've actually obtained affirmative consent. Don't infer consent if the info is sensitive and don't presume consent. But in the end, the "user" is left to determine how sensitive the information is and whether the form of consent measures up.

It has been interesting to observe how people approach PIPEDA when they first read some of these provisions. They want answers and instead it is nothing but shades of grey. I have seen too many people throw up their hands, essentially saying that because they can't situate themselves in the spectrum of grey, it's futile. Others put themselves in the shoes of their more "privacy-aware" customers and think "If I were worried about my privacy, what would I want the company to do?" I prefer this approach. It is not a good idea to only try to technically comply or to do the absolute least. That's a recipe for trouble. If you can anticipate the needs/concerns/issues of the top five percent of privacy-aware customers and tailor your processes to get them onside, you should do OK. In short, err on the side of caution.

Upcoming Conference: Living with the new private sector privacy law

I just got an e-mail from Tom Riley of Riley Information Services, which is based in Ottawa. They are organizing a privacy conference entitled LIVING WITH NEW PRIVATE SECTOR PRIVACY LAW: WHAT YOU NEED TO KNOW. The speakers look great and the content looks good, too. I've never attended any of their seminars (they've had quite a few), but I am a big fan of theirs. Primarily because Riley, unlike most conference organizers, provides the conference materials online, free of charge. They're a terrific resource.

Privacy International - Know your Data Campaign

Privacy International has a campaign in the United Kingdom encouraging individuals to ask for access to their personal data from telecommunications companies, including internet service providers. The campaign is called the Know your Data Campaign, and their website includes a number of model letters for individuals to send to their ISPs. The kind of information being requested goes well beyond the usual billing information that most individuals think of automatically when they ask themselves what sort of info about them is held by their ISP:

In particular, the following types of personal data are sought:

  • "communications data" as defined by Section 21(4) and Section 21(6) of the Regulation of Investigatory Powers Act 2000;
  • any data processed by DSLAMs/routers/switches/servers/Message-Transfer-Agents(MTAs)/monitoring-systems or other software or hardware
  • devices under your control, which is retained and/or disclosed in hardcopy, electronic media, backup devices, transient storage or otherwise;
  • case notes on incidents, events, disclosures, collections, modifications or faults;
  • records of disclosures (including e-mails) to other parties including under the DPA 1998 Section 29(3) and other legal authorities;
  • the logic of any automated decision processes as required under DPA 1998 7(d) [2];
  • the sources of the personal data.

As required by the Data Protection Act 1998 section 8(2), please provide an explanation of the purpose, meaning, and context of the information.

The Campaign for Freedom of Information (also in the UK) has similar resources to advise idividuals about their right to access their personal information.

Awareness of PIPEDA is not very high among the general population in Canada, but I expect that will change over time. I wouldn't be surprised if Canadian civil liberties or consumer advocacy organizations were to mount a similar campaign eventually.

Monday, January 19, 2004

Article: Copps willing to sign new Liberal party form

CTV.ca - Copps willing to sign new Liberal party form - A story on www.ctv.ca reports that Sheila Copps is going to sign a candiate information form that asks rather personal information, such as criminal convictions, mental illnes, etc. It apparently also purports to give the party carte blanche to use the info for any purpose, in their absolute discretion.:

"Critics say the rules violate privacy principles which say that personal information can only be kept for a limited time and used for a specific purpose. While it is not clear if the rules violate new federal privacy legislation -- which applies only to commercial organizations and companies -- they may violate provincial laws in British Columbia, Alberta and Quebec."

Update - 2004.01.21 - An article in the Toronto Star quotes Sheila Copps denouncing the Liberal party form as not "worth the paper that it is written on." Also, she says it is an invasion of her privacy and a violation of the Charter of Rights.

Article: Keeping tabs on drivers of rentalcars

IHT: Keeping tabs on drivers of rentalcars - The International Herald Tribune reports today on the use of telematics devices in rental cars.

Car rental companies have come to rely on an emerging technology called telematics - which combines satellite-based Global Positioning System tracking, wireless communications and vehicle monitoring systems - to keep tabs on their vehicles. About a quarter of the rental cars in the United States are equipped with tracking technology, analysts estimate. The industry views telematics as a way to enforce its contracts, but some customers regard it, at best, as a means to make more money and, at worst, as an invasion of privacy.

A variation of this story is also reported in today's Toronto Star. The TorStar version is more useful for Canadian readers as it reports on the practices of Hertz, Budget and Avis.

Article: Fighting privacy law questionable

TheStar.com - Fighting privacy law questionable: This morning's Toronto Star has a good and insightful article, written by well-respected technology law expert, Michael Geist. Geist has some very good comments about the constitutional challenge of PIPEDA by the Quebec government:

Critics of the privacy statute have used the constitutional challenge to increase the volume of their dire warnings. In the words of skeptics, PIPEDA is a "tax," a "multi-dimensional mess," "unhinged," "vague," "ungainly" and now "constitutionally suspect." What the critics don't say is that the alternatives breed even greater business uncertainty, create the prospect for a data trade war with the European Union and simply don't make sense in an era where provincial boundaries are largely irrelevant to most commercial transactions.

While critics often claim that the privacy law creates uncertainty within the business community, the truth is that a diverse collection of provincial privacy statutes would create a far more complex — and more expensive — legislative framework. Businesses of all sizes that shudder at the prospect of complying with a single privacy law, should consider the chaos of a framework featuring up to a dozen potentially conflicting privacy statutes.

Sunday, January 18, 2004

Article: Ontario considering putting biometric data on drivers' licenses

In an earlier post, I linked to an article which said Manitoba had abandoned plans to include biometric identifiers on drivers' licenses. It looks like Ontario is looking at going down the road of biometrics on licenses. This is from Friday's Globe and Mail:

The Globe and Mail (Friday, January 16, 2004 12:00 AM Page A8): "TORONTO -- Ontario's Liberal government is exploring the possibility of putting biometric identifiers such as fingerprints and iris scans on drivers' licences as part of a continent-wide effort to prevent identity theft.

'Security is our main concern,' Harinder Takhar, the province's Transportation Minister said yesterday, adding that his ministry is working with authorities in other jurisdictions to determine what sort of harmonization will eventually be necessary."

After reports of companies - such as bars - "scanning" licenses and keeping the data indefinitely, the privacy risks of encoding more data on licenses are huge.

See the following from the Nova Scotia Freedom of Information and Protection of Privacy Review Officer:

In another matter, a patron at a Halifax bar who was asked to show her driver's license to prove her age, objected when her card was taken and the information encoded on the back of the card swiped into a database. The bar said it did this to confirm the age of the patron. The patron went public with her complaint and the Review Officer was interviewed in the press to provide his views of this practice. He noted that it was proper for bars to ask for proof of age but inappropriate for them to enter the information into a database over which the patron has no control. The Review Officer has written to the manager to ask for more information about the use of the database.

This story was also reported in the Halifax Chronicle Herald on August 13, 2003. It is no longer available online, but has been reproduced and posted by John van Gurp (who has an interesting page highlighting the growing presence of privately owned video surveillance cameras in the public spaces of Halifax.) There are also more recent reports of a proposed project to photograph and scan ID from visitors to bars in downtown Vancouver.

RCMP to investigate Radwanski

It looks like things are taking a turn for the worse for the former Canadian Federal Privacy Commissioner, George Radwanski. All the major Canadian media are reporting that he is the subject of an RCMP investigation due to allegations that led to his resignation last summer. See:

  • CBC News: RCMP to investigate Radwanski
  • "OTTAWA - The RCMP is launching a criminal investigation into the spending of former privacy commissioner George Radwanski and several of his top officials, the National Post reported Saturday. "

  • National Post: Mounties to investigate Radwanski's spending
  • "OTTAWA -- The RCMP will launch a full criminal investigation into the spending and actions of George Radwanski, the former privacy commissioner, and several of his acolytes after reviewing a series of allegations of wrongdoing detailed in a fall report by the auditor general."

  • Globe and Mail: More heat on Radwanski
  • "Following a detailed and lengthy review of the allegations made in Auditor General Sheila Fraser's report into Mr. Radwanski's activities, the RCMP has determined that there are sufficient grounds to launch a full criminal investigation into several matters described in the report," RCMP spokeswoman Constable Nathalie Deschenes said."

Here's what happens when you Google "Radwanski" in the new Google News Service:

Jail for Radwanski?
Winnipeg Sun, Canada - 8 hours ago
OTTAWA -- An RCMP investigation into the George Radwanski affair could reach all
the way to the Prime Minister's Office and result in jail time for the former ...

Mounties closing in
Edmonton Sun, Canada - 9 hours ago
OTTAWA -- An RCMP investigation into the George Radwanski affair could reach all
the way to the Prime Minister's Office and result in jail time for the former ...

Probe heading toward PMO
Calgary Sun, Canada - 10 hours ago
OTTAWA -- An RCMP investigation into the George Radwanski affair could reach all
the way to the Prime Minister's Office and result in jail time for the former ...

Abuse curbed, PM says
Toronto Star, Canada - 12 hours ago
... Paul Martin says his ethics package and financial controls were designed to prevent
situations similar to that of former privacy commissioner George Radwanski. ...

More heat on Radwanski
The Globe and Mail, Canada - 23 hours ago
The RCMP is launching a full criminal investigation into the spending habits of former
privacy commissioner George Radwanski and a number of his subordinates. ...

RCMP plans criminal investigation of Radwanski
CTV, Canada - 17 Jan 2004
Former privacy commissioner George Radwanski could be in more hot
water. The RCMP is launching a full criminal investigation into ...

RCMP to investigate Radwanski
CBC News, Canada - 17 Jan 2004
OTTAWA - The RCMP is launching a criminal investigation into the spending of former
privacy commissioner George Radwanski and several of his top officials, the ...

The Privacy Lawyer: CPO Watch: Richard Purcell

The Privacy Lawyer: CPO Watch: Richard Purcell - Parry Aftab has a regular column in Informationweek.com entitled the "Privacy Lawyer". In the November 17, 2003 edition, she began a new series of columns called "CPO Watch" to profile various Chief Privacy Officers. Her inaugural edition was a profile of Richard Purcell, the former CPO of Microsoft and now a privacy consultant with the Corporate Privacy Group.

"Privacy needs to be defined more broadly in larger corporations than previously thought. People tend to focus on privacy as what's collected at the Web site or on health insurance or warranty forms, instead of recognizing that privacy is much broader. Privacy and respect for personal information has to become a core value. And all employees need to guard it and make sure they are implementing the corporate strategy."

Article: e-Privacy?

Hoover Digest - 2000 No. 3 - e-Privacy? by Mary J. Cronin

Imagine going to a shopping mall in which researchers follow you from store to store, taking notes on every product you examine or buy. Would you shop in such a place? Chances are, you already do. Welcome to the Internet."

Saturday, January 17, 2004

Article: Protecting Privacy (from Macleans' Magazine)

News stories about PIPEDA are surprisingly few and far between, especially since the impact of the law is apparently at the top of business owners' concerns. According to a contact at the Canadian Federation of Independent Businesses, their phones have been ringing off the hook. One medical society has gotten more than fifty calls in the last two weeks from physicians asking what this is about and what it means to them. The Globe, the National Post and the CBC have had some coverage of PIPEDA since the middle of December. I was wondering when Macleans magazine would have something.

I highly recommend reading Maclean's article, entitled "Protecting Privacy". It quotes very well respected authorities, such as the Information and Privacy Commissioner of Ontario, Anne Kavoukian and the Assistant Privacy Commissioner of Canada, Heather Black:

"Trashed credit ratings. Debit card fraud. Nasty divorces. If you think privacy legislation is boring, think again. Since 2001, federally regulated companies -- banks and broadcasters, for instance -- have had to comply with Canada's updated privacy legislation. Since January 1, that obligation has been extended to every organization involved in commercial activities unless it's already covered by a provincial privacy code."

Release: Your online privacy is at risk, Michigan State Researchers show

Michigan State University recently put out a release about a research study undertaken at their institute. According to the release, entitled "Warning: Your online privacy is at risk, MSU research shows", suggests that website privacy policies may not be worth the electrons they are written on. This isn't a huge surprise. The surprising assertion is that certification by TRUSTe and BBBOnline aren't what they're cracked up to be.

"Consumers need explicit warnings about the threats of identity theft, spam and credit card fraud to deter them from innocently surrendering personal information online. This is the conclusion of a new study of online privacy practices conducted by Nora Rifon and Robert LaRose of Michigan State University.

Consumers who rely on privacy seals such as TRUSTe or BBBOnline to protect their privacy may be lulled into a false sense of security, the researchers said. An analysis of Web sites carrying the seals found that they ask for more personal information and protect it less than sites that have no seals. "

Unfortunately, the release does not link to the study itself, so the assertions are hard to validate.

To me, this highlights one of the benefits of the Canadian Personal Information Protection and Electronic Documents Act over these voluntary programs. PIPEDA requires that all information collection be reasonable and it further prohibits making it mandatory to provide any personal information that is not necessary for the purposes identified by the organization. Not perfect, but better.

Health Privacy Horror Stories

Health Privacy - Health Privacy 101 - This is an American organization (the Health Privacy Project), but they have a very interesting document called "Medical Privacy Stories" that contains pages and pages of privacy horror stories. Worth reading for anyone who is concerned about privacy of medical information.

Ontario Ministry of Agriculture releases guide to PIPEDA

The Ontario Ministry of Agriculture and Food has released a very brief introduction to PIPEDA. The focus of the introduction appears to be the non-profit sector, though I'm not sure that intentionally includes farmers in Ontario. The article is more useful for the resources linked to for deciphering how PIPEDA should be applied by charities. (My article about how PIPEDA applies to a particular organization is also referred to. In poking around, I've found that it is also linked from an article at Nathan Garber & Associates. The Garber article is similar to the Ontario Ag Ministry one.)

Release: "Privacy guidelines" for deployment of RFID technology adopted by Grocers Assoc

U.S. Newswire - Food and CPG Industry Leaders Endorse Privacy Guidelines for New Technology: It appears that the EPC Network, the Grocery Manufactureres of America and the Food Marketing Institute have come up with some privacy-protecting guidelines for the adoption of RFID technology (referred to as the "Electronic Product Code" or EPC) in retail grocery stores. I haven't found the code itself online, but the highlights are in the following press release:
"WASHINGTON, Jan. 16 /U.S. Newswire/ -- The boards of directors of the Grocery Manufacturers of America (GMA) and the Food Marketing Institute (FMI) today endorsed guidelines designed for use by companies engaged in the large-scale deployment of Electronic Product Code (EPC). The principles will help ensure that consumers' privacy rights are protected as EPC is implemented over the next several years. "

Thursday, January 15, 2004

Article: Federal spending is out of control: Bloc

Federal spending is out of control: Bloc: While not specifically a privacy story, this article from the Montreal Gazette reports on a Bloc Quebecois study. Among its shocking discoveries is that spending is up at the Office of the Privacy Commissioner.
"Spending was also out of control in the office of Canada's privacy commissioner, which had an increase of 175 per cent in its spending over five years. Former privacy commissioner George Radwanski was forced to resign in disgrace last year after a scathing report by the auditor-general detailed his lavish expense account spending and the mismanagement of his office."

Notwithstanding exactly where the money was spent by Radwanski, it seems to me that an office that has seen its mandate quadruple might need a budget increase. From everything I've heard, the Office of the Privacy Commissioner is impaired by their lack of ability to hire personnel and to pay for educating both businesses and consumers.

Wednesday, January 14, 2004

Article: Bar scheme could breach privacy rules

Local News - Vancouver - canada.com network: Bar scheme could breach privacy rules:
"John Bermingham
The Province

B.C.'s privacy commissioner is wary of allowing high-tech gizmos to keep tabs on bar patrons and taxi customers. David Loukidelis said he has concerns with a proposed scheme by bars in Vancouver to take pictures of patrons and swipe data from their driver's licence -- name, age and licence number -- into a computer."

Tuesday, January 13, 2004

Article: A grocery store that practically reads your mind

St. Petersburg Times: A grocery store that practically reads your mind:

"One big impediment until now has been Big Brother privacy fears. Critics say the chip attached to a package of Gillete Mach III razors could keep beaming its location all the way to the buyer's home, paired with his name and address that's in the store's computer database. And the chip attached to a coat or jacket even could be tracked to reveal the user's visits to a bank, a shopping mall or a strip club. But proponents say that's not a likely scenario because the establishment would have to be equipped with RFID antennas to pick up the signal.

Still, to assuage such privacy fears, Metro added an extra computer terminal at the store exit. Shoppers can de-activate the chip inside each product one at a time if they don't want their purchases tracked beyond the store's exit."

Article: Is Big McBrother invading workplace privacy?

The Globe & Mail: Is Big McBrother invading workplace privacy?
By GRAEME SMITH
Tuesday, January 13, 2004 - Page A8

WINNIPEG -- To a regular customer, the McDonald's restaurants in Winnipeg give no hint that they're testing controversial new [biometric] devices for monitoring employees.

Monday, January 12, 2004

Article: Australian Navy exposed sensitive gynaecological information on the web

Australian IT - Navy women exposed on the web (Cameron Stewart, DECEMBER 20, 2003)

From Australia - Oops:

THE federal Government has apologised after the names of naval women who have undergone gynaecological treatment were published on a government website.

In an apparent breach of privacy laws, the personal details of at least six navy women have been listed in gazettes that can be accessed by the public.

The information includes the names of the women and the cost of their gynaecological treatment as well as the naval base at which they work and the name and address of the doctor who treated them.

Article: Manitoba decides 'invasive' high-tech bio drivers' licences too expensive

Yahoo! News - Manitoba decides 'invasive' high-tech bio drivers' licences too expensive:
"WINNIPEG (CP) - Manitoba drivers will not have to provide biometric information such as fingerprints for new drivers' licences being developed by the provincial government. "

Sunday, January 11, 2004

Public Interest Advocacy Centre on Privacy

In my previous post below, I made a reference to the Public Interest Advocacy Centre. They have been very active on the privacy front, making well-reasoned submissions on PIPEDA when it was still "Bill C-6" and on the Canadian Standards Association Model Code for the Protection of Personal Information in 2002.

In 2001, the PIAC complained to the Privacy Commissioner about the consent practices of a number of high-profile businesses, including Scotiabank, Bell (and a bunch of its subsidiaries), the Bay and Airmiles (operated by the Loyalty Group). The full-text of the Commissioner' findings are on the PIAC site, instead of the abbreviations that are on the Commissioner's site.

When I read the Commissioner's report on the Airmiles Program, it was interesting to read the following comment, made after reviewing the Airmiles privacy commitment:

Nor, curiously, does it mention two points that I suspect many prospective members would be relieved to learn: (1) that Loyalty limits its disclosure of information to the items that I have listed above and does not identify specific purchases; and (2) that Loyalty does not disclose Collectors' transaction information between Sponsors.

Most people I talk to assume that loyalty programs -- and at least this program -- collects detailed "shopping cart" information. With pharmacies as members of the Airmiles program, this would be a huge issue.

Article: Canada 'voyeur' bill still on shelf

The Calgary Sun: Canada 'voyeur' bill still on shelf: Among the pieces of legislation at risk following Parliament's early recess is Bill C-20, which includes provisions to protect people from voyeurs. The Calgary Sun has an article in today's paper about the bill and its fate:

"Sunday, January 11, 2004
Canada 'voyeur' bill still on shelf
By MICHELLE MARK, CALGARY SUN

Amendments to the Criminal Code aimed at protecting innocent people from being exposed -- naked -- on the Internet have fizzled despite a greater misuse of sexually explicit pictures than ever before.

Bill C-20, which died because of an early parliamentary recess last fall and has yet to be brought back to life, addresses proposed voyeurism offences in a day of sexual liberation, digital cameras and easy access to the Internet. "

Article: Loyalty cards plus legwork can track beef buying

The Seattle Times: Loyalty cards plus legwork can track beef buying: Loyalty cards raise quite a few privacy issues. Many people worry about what is done with information that is collected through their use and many people assume the worst about the practices of companies that operate the cards. (See CASPIAN - Consumers Against Supermarket Privacy Invasion and Numbering.) Almost all the discussions I've seen revolve around privacy and marketing. This article from this morning's Seattle Times puts a very interesting spin on what can be done with information that may be collected when consumers use their loyalty cards.

"Sunday, January 11, 2004
By Carol M. Ostrom, Seattle Times staff reporter

If you use a supermarket loyalty card, the store knows a lot about what you buy. But can you use that card to find out if you bought recalled meat from the nation's first mad cow?

Not very easily, say supermarket chains that use such cards, which include the Safeway Club Card, QFC Advantage Card and Albertsons Preferred Savings Card. "

On the subject of loyalty programs, The Public Interest Advocacy Centre's website contains some materials (See their privacy page at http://www.piac.ca/privacy.htm.)related to their complaint about (alleged) inadequate consent against the Air Miles program, among other respondents. Most interestingly, they have published the full text of the findings of the Commissioner, which are ususally only released in abbreviated form.

Friday, January 09, 2004

Article: Casino chips to carry RFID tags

New Scientist: Casino chips to carry RFID tags

When rumours surfaced in 2003 that the European Central Bank was quietly planning to put RFID (radio frequency identification) tags in euro banknotes to combat fraud and money laundering, privacy groups balked at the possibility that anybody with an RFID reader could count the money in wallets of passers by.

While the rumours have not been confirmed or denied a new generation of casino chips with built-in RFID tags is giving an insight into the way banks and shops could keep track of real money if it were tagged. The chips will be launched later in 2004 and will allow casino operators to spot counterfeits and thefts, and also to monitor the behaviour of gamblers.

RFID tags are tiny silicon chips that broadcast a unique identification code when prompted by a reader device. The tags do not need batteries, since they simply modify the radio signal fired at them by the reader. The readers work over distances ranging from a few centimetres to a few dozen metres, depending on the type of tag.

Counterfeit chips have long been a problem for casinos, and houses routinely mark their chips with inks visible only in infrared or ultraviolet light. Embedded RFID tags should make the chips much harder to counterfeit, and placing tag readers at staff exits could cut down on theft by employees.

The tags could also help casinos manage large-scale theft. If a large stash of chips goes missing after a table is overturned during an argument, for example casinos sometimes have to change their entire stock. This is unpopular with gamblers, since any chips that they have not cashed become worthless. RFID tags would allow the casinos to identify stolen chips without the expensive process of restocking.

Article: Wrong numbers! Celeb phones leaked

The Salt Lake Tribune -- Wrong numbers! Celeb phones leaked!
"By Glen Warchol
The Salt Lake Tribune

Every fan has fantasized about picking up the phone and talking sports with Steve Young, Kareem Abdul-Jabbar or Mike Ditka. Or about asking Pete Rose why he would gamble away the Hall of Fame.

It's an impossible fantasy given brief credibility Wednesday by The Associated Press. The world's largest wire service accidentally transmitted an internal list of sports figures' phone numbers to many of its media customers. "

Article: How CIBC complied with Canada's privacy law

ITBusiness.ca: "How CIBC complied with Canada's privacy law
3/5/2002 5:00:00 PM - The bank got an early start on changes to the way it collects personal information from its customers. Its next challenge: express consent"

Article: Enterprises prep for PIPEDA panic

This article from ITBusiness.ca has some interesting things to say. I tend to agree with with its theme; the greatest risk that most businesses face from PIPEDA is the significant potential for damaging -- if not ruining an organization's reputation and trust with stakeholders. The Commissioner may not decide to publicly castigate a particular business, but we've certainly seen a willingness of the aggrieved to contact the press on their own. With increased awareness of privacy issues, the media are starting to listen to disgruntled customers.
"Time's up: If you haven't become compliant with Canada's new privacy law, you could run what one lawyer calls 'headline risk.' Will warding off the dangers become a full-time job?"

Thursday, January 08, 2004

Conferences: International Association of Privacy Professionals

The International Association of Privacy Professionals (IAPP) is planning what looks like an amazing conference in Washinton, DC in February. Keynote speakers will be the Privacy Commissioners from Canada, Ontario, the U.K., Hong Kong and Spain.

"The Fourth Annual Privacy & Data Security Summit & Expo will provide today’s privacy professionals with answers to today’s daily operational challenges with input from front-line experts. Through plenary sessions from internationally recognized privacy leaders and a wide array of industry tracks, you will gain the background and knowledge you need on healthcare, governmental, financial, security, technology, marketing and email privacy issues. Register Now to ensure your attendance at the IAPP’s 4th Annual Privacy & Data Security Summit."

Wednesday, January 07, 2004

Article: Companies Alter Privacy Policies

Internetnews.com: Companies Alter Privacy Policies: (January 2, 2004)
As online marketing matures, many companies are finding privacy policies that once seemed acceptable as constricting as clothing that has been outgrown and, like a too-tight suit, must be altered.
'Often, a company will create a privacy policy that seems to have all the important parts, but then turns out to be untenable in some way,' said Larry Ponemon, head of the Arizona-based Ponemon Institute. His organization researches privacy issues and verifies companies' privacy and data protection practices."

Article: Wired News: BlackBerry Reveals Bank's Secrets

Wired News: BlackBerry Reveals Bank's Secrets (From August 2003, but a goodie):

"The eBay ad read 'BlackBerry RIM sold AS IS!' So Eugene Sacks (not his real name), a Seattle computer consultant who always wanted one of the pager-size devices to check his e-mail, sent in a bid. For just $15.50, he bought the wireless device with 4 MB of memory.

The BlackBerry didn't come with a cable, synching station, software or a manual. But it did come with something even more valuable: a trove of corporate data. "

(I've also found this story referred to on the LawTech Guru Blog: "Juicy Blackberry Information Leaves a Stain".)

Tuesday, January 06, 2004

Finding: Debtor cannot withdraw consent to sharing of his/her credit information

Commissioner's Findings - September 4, 2003 - Privacy Commissioner of Canada: PIPED Act Case Summary #211: Bank accused of improperly disclosing overdraft information to another bank

Among other complaints to the OPC, a couple complained that they were not allowed to withdraw their consent for future information disclosure to other lenders, credit bureaus or credit-reporting agencies. The couple's account had become delinquent and was referred to the bank's collections division. The couple got a loan from another bank and wanted to refuse to allow the original bank to communicate their credit information to other parties.

The first bank's position was that it had the couple's consent to the disclosure of their personal information by virtue of the personal loan service authorization they had signed a few years earlier when their personal credit reserve was arranged. This document stated that the couple authorized the bank to disclose to other lenders, credit bureaus or other credit-reporting agencies personal and credit information about them. The bank further stated that the couple could not withdraw their consent for future disclosure because the sharing of such personal information is required to maintain the integrity of the Canadian credit-granting system.

Commissioner's Findings ...

It has been confirmed in other cases considered by the Office that the credit system in Canada depends upon the fulfillment of myriad contractual and legal obligations.

If individuals could withdraw their consent to disclosure of their credit history with a particular lender, the credit system would not work.

On this basis, the Commissioner determined that the bank was justified, on legal and contractual grounds, in refusing to honour the couple's request for withdrawal of consent to the sharing of their personal financial information with other lenders, credit bureaus or credit-reporting agencies. He found, therefore, that the bank was not in contravention of Principle 4.3.8.

This finding appears to answer (albeit not definitively) a relatively common query among credit grantors when informed that PIPEDA contains the following provision:

4.3.8 An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization shall inform the individual of the implications of such withdrawal.

It appears that as long as the credit agreement contains a consent to the exchange of credit information with the usual parties, the debtor is not able to unilaterally withdraw that consent. Prudence would suggest that credit grantors would want to include language that explicitly informed individuals that they are not able to withdraw consent.

Article: Privacy Act imperils provinces' ability to make local business laws

National Post: Privacy Act imperils provinces' ability to make local business laws by Simon Chester of the Financial Post

Tuesday, January 06, 2004
"...Jean Charest's Quebec government has just cast the future of Ottawa's new privacy law -- the Personal Information Protection and Electronic Documents Act -- into doubt. The Quebec government, in its first constitutional battle with Ottawa in a decade, has asked the courts to decide whether Ottawa has any power to force Canadian businesses, of whatever size, to meet national privacy standards...."

Article: National Post - Business bulldozer

National Post: Business bulldozer, Paul Kedrosky of the Financial Post

Most Canadian executives were unaware that privacy legislation would be foisted on them Jan 1. Now that it's here, expect a deluge of complaints as firms struggle to comply with an act that is both unhinged and complex

Website: Mathew Englander, privacy advocate

Mathew Englander was one of the very first complainants under PIPEDA. According to sources at the Office of the Privacy Commissioner, his complaint was sent by e-mail on January 1, 2001 at 12:01 am. He complained that Telus, the phone company in British Columbia, violated PIPEDA by requiring the payment of a fee to have an unlisted number. His complaint was determined by George Radwanski to be not well founded" (See PIPEDA Case Summary #8). Mr. Englander took the case to the Federal Court, where Blais J. agreed with Radwanski (See Englander v. Telus, [2003] FCT 75). The case is now under appeal and Mr. Englander has made his Memorandum of Fact and Law [PDF] for the appeal available on his website. His website also has other links, including a page on telemarketing rules in Canada.

The Englander case will be one to watch, because it raises some very important issues that need to be sorted out. One question is how much of an obligation do consumers have to educate themselves about a company's privacy practices and policies? Telus apparently never told customers about the option of having an unlisted number or of having their names included in the normal directory but left off CD-Roms sold to marketing companies. There is also an issue of how PIPEDA interacts with other statutes or regulators, such as the Canadian Radio-Television and Telecommunications Commission, which had OK'd the Telus practices. Finally, there is the key issue of whether the hearing before the Federal Court is really a completely de novo hearing or whether the Privacy Commissioner should be granted some curial deference. Stay tuned!

Monday, January 05, 2004

Article: Yahoo! News - Automobile 'black boxes' help solve crash mysteries, raise privacy concerns

Yahoo! News - Automobile 'black boxes' help solve crash mysteries, raise privacy concerns

... The growing use of computerized systems to monitor vehicle operation, including on-board satellite navigation units and even electronic highway toll devices, has Big Brotherish undertones.

Some GM vehicle owners even launched a suit in 2000 claiming they weren't aware their cars could record their driving. GM owners' manuals do mention EDRs but the automaker has strengthened notices in the books, which few owners read anyway. ...

Article: TheStar.com - Contentious laws will mould technology

CONTENTIOUS laws, lawsuits will mould technology

Toronto Star, Canada

... Jennifer Stoddart, Quebec's former privacy commissioner, has taken over as the federal privacy commissioner and will no doubt spend 2004 working to refurbish ...

Sunday, January 04, 2004

RFID Privacy Blog

MIT held a workshop on RFID (Radio Frequency Identification) Privacy in November 2003. During the preparations, a blog (RFID Privacy Happenings) was created that highlighted RFID privacy issues in the news. It appears to be outliving the workshop itself and contains a good variety of news links. Also, the agenda page for the workshop links to PDF versions of the speeches and presentations. For more background on RFID chips and privacy issues, take a look at Spychips.com.

Saturday, January 03, 2004

Article: BankRI Announces Security Measures in Response to Stolen Laptop; Potential Release of Data Poses No Risk to BankRI Accounts

Interesting press-release, issued by Bank Rhode Island following the theft of a contractor's laptop containing customer account information:

December 18, 2003 11:33 AM US Eastern Timezone

BankRI Announces Security Measures in Response to Stolen Laptop; Potential Release of Data Poses No Risk to BankRI Accounts

PROVIDENCE, R.I.--(BUSINESS WIRE)--Dec. 18, 2003--Bank Rhode Island said today that its principal data service provider, Fiserv, Inc., reported the theft of a laptop computer that contained some BankRI customer information.

The Bank emphasized that it had no indication that this information has been misused or been improperly accessed. As a precaution, BankRI has notified all customers whose information was potentially included on the stolen laptop, is monitoring accounts for unusual activity, and has augmented its internal security procedures.

Article: Nothing's sacred ... nor secret

Below is a link to an interesting article from San Francisco about the connection between security and privacy. The author describes some recent incidents that empasise the role of security in protecting privacy. The first incident shows how identity thieves may target inadequately secured computers that contain sensitive personal information: Nothing's sacred ... nor secret, with thanks to BankingInfoSec.com for the link.

An article in the Register.co.uk discusses lessons to be learned from the theft of a bank's laptop containing customer account information. Though it is pretty specific to the banking indsutry under California law, the author's conclusion is rather clear:

Companies ... should remember that they are mere fiduciaries of other people's money, information and privacy, and do the right thing to protect it in the first place. And they should notify consumers promptly if the information is compromised, and help their customers fix any problems that result from the potential breach. It may not be the law, but it's a good idea.

Under PIPEDA, organizations are responsible to safeguard pesonal information against accidental or malicious access, destruction or disclosure. There appears to be no obligation to inform customers about such a breach, the moral imperative is clear. In addition, disclosure will provide customers the opportunity to mitigate any harm that an accidental disclosure may result in.

The dawn of a new era

Over the last couple of days, it has been interesting to see how visible PIPEDA is in the various stores I have visited. Yesterday, I went to Superstore, which had a notice up on the pharmacy desk. The sign said that because of a new law, they would have to get the consent of customers for the collection and use of their personal information. I didn't see any brochures. I decided to check out their website and followed the links to the pharmacy. Clicking on "Privacy Policy" leads to the general Loblaws privacy policy. The policy is a pretty close adaptation of the ten principles from PIPEDA, without much discussion of data sharing that may take place.

This morning, at Home Depot, I noticed a laser printed sign taped on the counter that suggested customers check out the Home Depot Canada Privacy and Security Statement, which is available on the Home Depot Canada website.

Friday, January 02, 2004

Privacy Commissioner clarifies the requirements for "opt-out" consent

Commissioner's Finding 207 - August 6, 2003 - Privacy Commissioner of Canada

In a recently-released finding, the Privacy Commissioner (Robert Marleau) provided some long-awaited guidance on the use of "opt-out" consent. Opt-out consent is expressly provided for in PIPEDA (Principle 3 - Consent), but was consistently denigrated by former Commissioner George Radwanski. Businesses have been left wondering where it stands and what they can expect from the OPC if they use opt-out. Well, in decision 207, some definition is given to the shades of grey of the consent principle. The finding contains the following:

  1. The personal information must be clearly non-sensitive in nature and context.
  2. The information-sharing situation must be limited and well-defined as to the nature of the personal information to be used or disclosed and the extent of the intended use or disclosure.
  3. The organization's purposes must be limited and well-defined, stated in a reasonably clear and understandable manner, and brought to the individual's attention at the time the personal information is collected.
  4. The organization must establish a convenient procedure for easily, inexpensively, and immediately opting out of, or withdrawing consent to, secondary purposes and must notify the individual of this procedure at the time the personal information is collected.

More problems with taping customer calls

Commissioner's Finding 215 - August 26, 2003 - Privacy Commissioner of Canada

The Privacy Commissioner's website contains a newly-released finding related to recording of customer calls. The organization in question - a bank - had been the subject of an earlier complaint and apparently had not learned much in the interim. At the conclusion of his finding, interim Commissioner Marleau made the following recommendations to the bank:

With regard to the complaint proper, the Commissioner made the following recommendations:

  1. The bank should alter its call recording system to the effect that (a) telephone agents will have control over the taping so that they may initiate it on indication of the customer's consent and end it at the customer's request and (b) recorded calls will be stored and catalogued in such a way that they may be easily and individually retrievable and, where circumstances warrant, eraseable.
  2. The bank should include, in the activation instructions accompanying any new credit card, clear notifications to the effect that (a) telephone conversations with activation centre agents will be tape-recorded and (b) an alternative automated activation system is available.
  3. If the bank intends to continue recording calls to its card activation centre from the point of telephone connection, it should ensure that its agents notify the caller immediately at the outset that the call is being recorded. Alternatively, the bank should consider not initiating the recording of any call until after the notification is given.
  4. The bank should also ensure that its agents notify objectors of alternatives to the taping of card activation calls - notably, the automated activation system. Ideally, the agent should begin by notifying the caller of card activation options and should commence the recording of the call only if the caller indicates a clear preference for proceeding through conversation with the agent.

The Commissioner expressed his disappointment at the evidence that, despite the findings and recommendations in a previous case, the bank was continuing as a matter of course to tape customer calls without informing callers of the fact at the outset, without specifying purposes in a clear and consistent manner, and without offering alternatives. He noted that the bank's initial explanation that this was merely a training issue - that it was simply a matter of employees not yet being familiar with new policy and procedures - was no longer acceptable a year after the fact. He therefore made the following additional recommendations:

  1. The bank should review, consolidate, and revise its policy and procedures regarding the tape-recording of customer calls in accordance with the findings and recommendations in this and the prior case.
  2. The bank should conduct a formal training program to ensure that all its telephone agents are knowledgeable and proficient in the consistent application of policy and procedures regarding the tape-recording of customer calls.

New articles

Here are some interesting, recent articles on the last phase in the implementation of PIPEDA:

Quebec expected to challenge PIPEDA's constitutionality.

According to an article in the Toronto Star, TheStar.com - Privacy law faces legal challenge, the government of Quebec intends to challenge the constitutionality of the Personal Information Protection and Electronic Documents Act. This is a bit of a surprise, since PIPEDA does not apply to provincially regulated organizations in Quebec since the federal cabinet issued an order deeming the Quebec privacy law to be substantially similar to PIPEDA. (See the announcement from the Office of the Privacy Commissioner of Canada, referring to the Organizations In the Province of Quebec Exemption Order.)

Welcome to the Canadian Privacy Law blog

This is the inaugural entry in the Canadian Privacy Law blog ... Something that I hope will be a useful spot for reporting developments in Canadian Privacy Law. And now a word about me: I'm a lawyer practicing privacy law at Atlantic Canada's largest single law partnership, McInnes Cooper. My "official biography" is at http://www.mcrlaw.com/cgi-bin/article/showstaff.cgi?personID=112&action=show, if you are curious. Of course, any stuff I post on this blog is not an official statement of McInnes Cooper, nor is it any sort of legal opinion. I've decided to create this blog because Canadian privacy law is in a period of rapid transition and transformation. As of January 1, 2004, the Personal Information Protection and Electronic Documents Act (aka PIPEDA or the PIPED Act) began to apply to every organization that collects, uses and discloses personal information in the course of commercial activities in Canada, except in those provinces that have legislation that deemed to be substantially similar. At the moment, only Quebec's law has been deemed to be substantially similar. PIPEDA has been around for a little while; it began to apply to "federal works, undertakings and businesses" on January 1, 2001. Though it isn't exactly new, many of its principles remain untested and many key terms are not satisfyingly defined. For example, PIPEDA requires consent for the collection, use and disclosure of personal information and that consent has to be commensurate with the sensitivity of that information. The thresholds for opt-in, opt-out, express and implied consent are relatively untested. Therefore, anyone who wants to fully understand the law needs to keep up to date on developments at the Office of the Privacy Commissioner and the Federal Court of Canada. I hope to post links on this site to recent findings, decisions and articles on the privacy law. I'll even throw in some of my own thoughts, for good measure. As a preliminary matter, below are a bunch of articles that I've written on the topic of Canadian privacy law that may be of asstance to those trying to find their way through PIPEDA: I hope this is useful to those interested in Canadian privacy law.