Tuesday, August 31, 2004

Collection practices to avoid

A blogger from India has posted an e-mail of complaint that he sent to his cellular phone company, complaining about its collection practices. It appears that they make liberal use your calling records to track you down and to tell your friends and colleagues that you should pay your bill. Not a good practice and it certainly wouldn't fly under PIPEDA. We have the benefit of a similar situation that was considered by George Radwanski last year. In PIPEDA Finding #225, the Commissioner admonished a collection agency for leaving a phone message with a debtor's aunt that disclosed the existence of the debt. They had implied consent to leave a message to have the debtor call them, but disclosing the debt went over the line. Similarly, Radwanski found that a telephone company had improperly used personal information in Finding #61 by using called numbers to track down a delinquent customer. Just don't do it.

Below is an extract of the original blog post, which came to my attention via Engadget and TechDirt:

Manish Jethani - Unethical practices by Hutch collection agents: "[snip]

Last month, one of your collection agents, [agent's name and phone number], called up a friend and prospective client of mine, [my friend's name and phone number], seeking information on my whereabouts and requesting payment of the bill.

The aforementioned unwarranted and unethical act of [agent's name], on behalf of your department, has caused damage to my reputation with my client, potentially costing me business of several thousand rupees. It is absolutely unacceptable for a collection agent to get in touch with a customer's relatives, friends, clients, and any other contacts, regarding the customer's bill payments. Since I am told that this is standard practice at Hutch India, I am out to fight against it.

Here is what I am looking for:

  • Written apology from Hutch India.
  • Assurance from Hutch India that any such unethical practices currently employed by the collection agents will be discontinued with immediate effect.
  • Compensation for damages.

[snip]"

Monday, August 30, 2004

Australia begins review of private sector privacy legislation

The Australian Attorney General, Philip Ruddock, has initiated a review of private sector privacy legislation in that country.

Computerworld | Ruddock sets up privacy law review:

"Enterprises handling the personal information of customers are being given a second chance to influence the operation of the federal Privacy Act (1998). Federal Attorney General Philip Ruddock has announced a review of private sector provisions of the law.

According to a statement from Ruddock's office, Federal Privacy Commissioner Karen Curtis has been asked to 'examine the impact of the legislation on the community and the private sector', with the review assessing whether regulation of the private sector has been a success since the introduction of national legislation three years ago.

Specifically, the review will consider whether the laws have achieved a 'comprehensive national scheme for the private sector that regulates how organizations collect, use, store, disclose and transfer individuals' personal information'. "

Interested readers should note that Canada's PIPEDA is subject to mandatory review, which will take place next year.

Sunday, August 29, 2004

Article: Plan to match Canadian passport photos with terrorist watch lists in works

The Canadian Department of Public Security has been involved in a trial of facial recognition software that, they hope, will be used to match passport photos against the mugshots of known and suspected terrorists. I'll be curious to see the results of the privacy impact assessment, if it is released:

Plan to match Canadian passport photos with terrorist watch lists in works:

"OTTAWA (CP) - Federal officials plan to screen the photos of Canadian passport applicants against images of suspects on terrorist watch lists.

The Passport Office recently tested a computer program that compares a picture of a face with thousands of other mugshot-style photos and zeroes in on possible matches.

The office is seeking approval from the federal privacy commissioner to use the facial-recognition technology in processing passport applications.

The proposal has raised questions about the accuracy and potential intrusiveness of the system among those who study the effect of security measures on privacy and civil liberties. "

I did some looking around the Public Safety and Emergency Preparedness Canada website and didn't find the report referred to in the article. If any readers know where to find it, please drop me a line.

Re: F-bomb-dropping attorney gets worldwide notoriety

I was thinking a bit more recently about the story that was the basis for my previous post ("F-bomb-dropping attorney gets worldwide notoriety"). There is a second privacy aspect ... Thanks to the internet, the Chicago lawyer who left the message in question is probably going to be living with the incident for a very long time. It is now routine to google job applicants, contacts and just people you know. If he finds himself looking for a job or going on a blind date, googling his name will bring back this story as if it only happened today. I've heard it said that you should never write anything in an e-mail that you wouldn't wanted reported on the front page of the New York Times. This is a reminder that you shouldn't write an e-mail or leave a voice-mail that you wouldn't want on the front pages, either. The internet takes it to the next level, since it is all a quick click away.

Saturday, August 28, 2004

F-bomb-dropping attorney gets worldwide notoriety

Most of this article and the buzz surrounding this incident (see below) is about lawyer civility and its supposed decline since the "good old days". It also serves as a reminder that many voicemail systems make messages very portable. Some systems send messages as e-mails with a .wav attachment. A breeze to forward far and wide. Not only should you be careful about what you leave on someone's message machine (see the Federal Privacy Commissioner's finding against a bank on this subject: PIPED Act Case Summary #270: Bank agrees to modify automated message), but you should remember that they can be easily saved and fowarded to goodness only knows where.

F-bomb-dropping attorney gets worldwide notoriety

August 25, 2004
BY ERIC HERMAN - Business Reporter

So much for professional courtesy.

A Chicago lawyer's expletive-filled phone message circulating on the Internet is providing fresh evidence to those who say lawyers' standards of behavior are eroding. ..."

The voice mail message (along with some commentary) is posted on on KinsellaLaw, for the curious.

Thanks to Bag and Baggage for leading me to this...

Friday, August 27, 2004

Article: Credit-card processors gear up for new privacy law

I find it amazing that when I closely examine the detritus of daily life (by emptying my pockets at the end of the day), I discover that so many merchants still print all the digits of the card number on credit and debit card receipts. Why? Why? Why? There is simply no need to have that info there and by it threatens the privacy of the cardholders.

The problem is usually compounded by a pretty cavalier attitude toward these flimsy pieces of paper. How many times have I picked up someone's reciept from the check-out at the grocery store, only to find a full credit card number, complete with expiry date? Or a full debit card number? When I mention it to the clerk, they just chuck it in the garbage. If you want to commit fraud, I can tell you the dumpsters to dive in.

PIPEDA, thanks to its broad statement that you must secure personal information against accidental disclosure, etc., probably requires obscuring at least part of the number. But not enough retailers have read it. At least the US is taking this seriously. The Fair and Accurate Credit Transactions Act requires card "truncation" by January 1 and some state laws have mandated it for some time:

Credit-card processors gear up for new privacy law:

"By Marion Davis, Staff Writer

A federal law requires merchants to truncate personal information on credit card receipts by Jan. 1. Does your business take credit cards? If so, when the slip prints out, how much of the customer's card number is included? If it's more than the last five digits, and/or if the expiration date shows, you need to upgrade your terminal by Jan. 1.

A federal law passed last December, the Fair and Accurate Credit Transactions Act, requires credit-card "truncation" by that date, and a new state law makes merchants liable, starting in 2007, for any resulting fraud, plus legal fees, if they don't comply.

Some states, starting with California, have been gradually implementing truncation mandates for new terminals since 2001, but it was only last January that the first laws affecting existing machines kicked in. Some are tougher than Rhode Islandos: In Maine, anyone who didn't switch by last Jan. 1 is already subject to a $1,000 penalty; in Arizona, as of June 1, merchants who don't truncate can be fined $10,000. "

I gather that Visa/Mastercard have made this mandatory for their Canadian retailers by 2005.

Thursday, August 26, 2004

Article: Blawgs may be worth a try

I just discovered an article about Canadian lawyers' blogs from Canada Law Book. It mentions this blog, but I didn't know about it when it came out in June. And I'm not too offended that the author didn't get my name right.

Blawgs may be worth a try

...

"The marketing advantage of blawgs are that they put your name out there," says Girard. "If a blawg is reasonably well read, it will move up pretty quickly in the Google rankings."

Aficionados estimate that there are currently about 500 law-related blogs online in the United States, which indicates the trend is still in its infancy. Interested readers can search them out by going to www.blawg.org

In Canada, an initial Law Times search turned up only Girard's site (www.e-Lawg.com). Later searches found a few more: one for a lawyer in Nova Scotia on elder law (www.nselderlaw.ca), one on privacy law from David T.S. Cooper FRASER at McInnes Cooper in Atlantic Canada (pipeda.blogspot.com), Martin G. Ertl in B.C. has two, www.opinionated.ca and another called Boiler-plate (contract.matinertl.ca), which is "dedicated to elegant drafting in contracts."

Michael Crawford, a marketing and communications consultant with marketingdept.biz in Toronto, thinks he knows why there are so few in Canada.

Read the full article here.

Article: Watch those attachments!

Another helpful reminder from a (hopefully remorseful and sheepish) organizer of the Rupublican convention that you need to double-check your attachments before clicking send.

E-mail to volunteers gets a bit personal

BY DEBORAH S. MORRIS
STAFF WRITER

August 26, 2004

Oops! A welcome e-mail that was sent to hundreds of volunteers for the Republican National Convention inadvertently included the name, address, Social Security number, race and other personal information of those volunteers.

The e-mail, with a subject header of "Transportation Volunteer Information - Final Email Before Your Arrival to NYC," was sent out yesterday across the country and apparently was to serve as a checklist for transportation volunteers' arrival on Saturday.

At the end of the e-mail, two attachments, which when opened, display private information such as volunteers' home, work and mobile phone numbers as well as their birthdates, rooming information and other personal information. The information, if it landed in the wrong hands, would be a security concern.

"The attachment was inadvertent," Leonardo Alcivar, spokesman for the Republican National Convention, said yesterday. "As a precaution, security [personnel] has been alerted and will take any additional steps necessary to protect the integrity of anyone listed."

...

Thanks to PrivacySpot for the pointer.

Wednesday, August 25, 2004

READ THIS! Privacy chief to e-commerce firms: Don't blame PIPEDA

I highly recommend reading this article from ITBusiness.ca. It quotes from both Jennifer Stoddart (Federal Privacy Commissioner) and Anne Cavoukian (Ontario Commissioner) emphasising how important it is to gain and maintain customer trust. So, get your privacy act together.

Privacy chief to e-commerce firms: Don't blame PIPEDA

8/25/2004 5:00:00 PM - Jennifer Stoddart defends the federal legislation and warns software vendors about potential damage to their corporate reputations. Plus: Why can't security and privacy assessors get along?

...

Stoddart made an aggressive pitch, referring to a 2002 Leger Marketing survey that found issues with security and privacy continue to be the biggest barrier to Canadians making online purchases.

"These fears are fuelled by an identity theft problem galloping out of control, which is estimated to result in losses of $2 trillion worldwide by the end of 2005," she said.

Stoddart cautioned that while a company may see a business opportunity in data mining, "their next door neighbour might see it as an unacceptable invasion of privacy".

Yet, if a business conforms with PIPEDA’s "informed consent" and "document storage" provisions on the treatment of personal electronic information, that business stands to recoup the loyalty of would-be customers, she said.

"This will help you grow your business by improving trust."

Ann Cavoukian, information and privacy commissioner of Ontario and one of Stoddart’s co-presenters, pointed to a Harris/Westin poll conducted in 2001 and 2002 which supported her federal counterpart’s argument.

Over 90 per cent of the poll’s respondents said the volume and frequency of business they conduct with a company is directly related to the level of confidence they have in that company’s privacy practices. The same poll found that 83 per cent of respondents would stop doing business with a company if they felt that their personal information was misused. ...

Article: California Legislature OKs offshore privacy bill

California's legislature has passed a bill regulating privacy aspects of the offshoring of personal information processing. It has landed on the Governator's desk for signature or veto. We'll keep you posted ...

Legislature OKs offshore privacy bill

MEASURE PROTECTS CONFIDENTIAL CONSUMER DATA SENT OVERSEAS

By Karl Schoenberger
Mercury News

A bill that would protect the privacy of personal medical and financial information when it is processed overseas in an offshoring contract was approved by the Legislature and has been sent to the governor's desk, the author of the legislation announced Tuesday.

State Sen. Liz Figueroa, D-Fremont, said her bill -- SB 1451 -- provides that a stringent existing California law protecting consumer privacy in the state would apply to anyone who has access to such confidential information no matter where they are located. ...

Document meta-data FAQ and risk information

That Word (or other document) you send may give away your confidential information and even leak personal information outside of your company. Many are aware that "metadata" is commonly embedded in certain document formats. (I recently received a document from a client that was riddled with metadata, including tracked changes that showed changes made by the other side's lawyer and "notes to draft" about certain clauses. It came from one of the leading firms in Canada, acting for a VERY large company that, ironically, is a major player in the data security area. But I digress ...) In any event, this has become a significant security risk. Workshare (maker of DeltaView and, coincidentally, a metadata remover called Workshare Protect) has established a "public benefit" site to provide information about content security risks. It's called MetadataRisk and is at http://www.metadatarisk.org. To give Workshare credit, there is no marketing material on the site and it has some good content. Thanks to PrivacySpot for leading me there ...

Tuesday, August 24, 2004

Article: NWT privacy commissioner appalled by some cases

The CBC has an interesting story, reporting on the annual report of the privacy commissioner of the Northwest Territories. The incident highlighted in the article shows the challenges of not building a privacy culture within an organization:

NWT privacy commissioner appalled by some cases

...Keenan-Bengts says senior officials were more concerned about the impact the complaint could have on their reputation, than they were about the woman's privacy.

"I was just appalled, I was just absolutely appalled by the circumstances and I think it's important that these very bad situations be brought to the fore so that they don't happen again."

It is interesting to note that Privacy Commissioners in Ontario and NWT have recently gotten appalled and are not being shy about saying so.

As an aside, I'm trying to track down a copy of the Commissioner's report. I'll post any interesting or instructive nuggets.

Canadian Bankers push for ID theft law

A number of privacy stories are coming out of the meeting of Chiefs of Police this week. Among them is a presentation by the Canadian Bankers Association, calling for stronger criminal laws specifically dealing with ID theft. See the following article from the Globe & Mail, a portion of which is quoted below:

Stronger ID Theft Laws Needed, CBA Says

VANCOUVER — The Canadian Bankers Association will advocate for new identity theft legislation at this week's national police chiefs' convention in Vancouver.

On Wednesday, the banking association's security director will address the Canadian Association of Chiefs of Police about the need to reform the Criminal Code to curtail identity theft.

"It's part of our ongoing effort with law enforcement," said Caroline Hubberstey, banking association spokeswoman.

Among other changes, the banking association wants to see identity theft clearly defined in the Criminal Code. They also want to make it an offence to possess multiple pieces of other people's identification, Ms. Hubberstey said.

At present, about 30 Criminal Code offences and one under the National Defence Act address identity theft, she said.

Monday, August 23, 2004

Can't use PIPEDA to avoid relevant questions in litigation

I think any privacy lawyer would have predicted the result of this Ontario court decision about whether you can use PIPEDA as a shield against answering questions in the course of litigation, but it is good to have authority on the point. The full text of the decision is available on CanLII at http://www.canlii.org/on/cas/onsc/2004/2004onsc11636.html. Below is an excerpt of the relevant portions of the decision.

FILE NO.: 03-CV-251465-CM1

DATE: 20040706

SUPERIOR COURT OF JUSTICE - ONTARIO

RE: Clustercraft Jewellery Manufacturing Co. Ltd. - Appellant

- and -

Wygee Holdings, Ltd. Artam Diamonds International

Inc., and Enterprising Promotions Ltd. - Respondents

BEFORE: T. Ducharme, J.

COUNSEL: D.R. Rothwell

For the Appellant

R. Shour

For the Respondents

MOTION

HEARD: July 2, 2004

E N D O R S E M E N T

[1] The Plaintiff/Appellant ["Appellant"] appeals from an interlocutory order made on April 20, 2004 by Case Management Master Carol Albert which:

(a) granted leave to amend the Statement of Defence and Counterclaim;

(b) gave directions for further examinations for discovery;

(c) ordered answers to three questions which had been refused during the discovery of Einhardt Wiedel; and

(d) awarded and fixed costs payable by the plaintiff of $2,100.

The Appellant asks that this order be set aside and an order be made instead in terms as set out in paragraph 2 of their factum.

[2] The Parties are agreed that the appropriate standard of review is that set out in Bank of Nova Scotia v. Liberty Mutual Insurance Co., [2003], O.J. No. 4474 (Div. Ct.):

(a) if the matter is one of discretion, the court should not interfere unless the Master was clearly wrong;

(b) if the matter is one of law that is not vital to the disposition of the lawsuit, the court should not interfere unless the Master was clearly wrong; and

(c) if the matter is one of law that is deemed vital to the disposition of the lawsuit, the test should be one of correctness.

Moreover, where the Master is dealing with interlocutory matters not vital to the disposition of the case, the motion ought to be heard as an appeal and not de novo.

The Granting of Leave to Amend the Statement of Defence and Counterclaim

[3] Master Albert granted leave to amend the Statement of Defence and Counterclaim. The Appellant concedes that many of these amendments were in the nature of housekeeping amendments, but objects to the addition of the name of one Alan Grelowski to paragraphs 53 and 58 of the Statement of Defence and to paragraph 137(i) of the Counterclaim. The Appellant advances two arguments: (1) There was not a sufficient factual basis in the motion record before the Master to permit this amendment; and (2) The amendments caused prejudice to the Appellant insofar as they result in a re-attendance for further examination for discovery.

[4] The granting of the amendments to the pleadings is governed by Rule 26.01 which provides that the court shall grant leave to amend a pleading unless prejudice would result that could not be compensated for by costs or an adjournment. As Moldaver J.A. noted in Andersen Consulting Ltd. v. Canada (Attorney General), [2001] O.J. No. 3576 at paragraph 37 (Ont. C.A.) there is a:

well-established rule that amendments like those sought in the present case should be presumptively approved unless they would occasion prejudice that cannot be compensated by costs or an adjournment; they are shown to be scandalous, frivolous, vexatious or an abuse of the court's process; or they disclose no reasonable cause of action.

It is worth noting that Moldaver, J.A. made no mention of some minimal factual support in the record as being a further prerequisite to the granting of leave to amend the pleadings. Indeed, the balance of Andersen Consulting Ltd. suggests precisely the opposite, as the motions judge was criticized at paragraph 35 for "weighing evidence, interpreting controversial contractual provisions and making findings of fact, all matters that should have been avoided at the pleading stage." Counsel for the Appellant was unable to cite any authority for the proposition that amendments to pleadings can only be granted where there is a sufficient factual basis for them outlined in the motion record. In my view, this argument must be rejected as it is clearly inconsistent with the presumptive approval test mandated by Rule 26. It should also be noted that the reasons for these amendments were explained in the Case Management Motion Form filed before the Master. While the Appellant may dispute the factual basis for these assertions that is a matter for trial.

[5] The argument that the amendments resulted in prejudice that cannot be compensated for "by costs or an adjournment" can be dispensed with quickly. As Master Albert noted there was no evidence that any prejudice would result from the six month delay. Moreover, the prejudice identified on appeal that is, the need to re-attend for further examinations for discovery, is precisely the type of prejudice that can be dealt with by way of costs and/or an adjournment. Thus, it cannot be maintained that the amendments should have been refused on this basis.[1] In oral argument, the Appellant conceded that this prejudice could be remedied by costs and asked that this Court make an order in this regard. However, as the Appellant sought no such relief in argument before the Master, it would not be appropriate to order costs when the matter was not raised at the first instance.

[6] As a result, the order permitting the Respondent to amend the Statement of Defence and Counterclaim is upheld.

The Order to Answer Questions Which Had Been Refused

[7] Master Albert ordered that questions 659, 698 and 956 which had been refused upon the examination of Einhard Wiedel should be answered. Both parties agree that the numbers of the first two questions was misidentified and that the questions to be answered were 879, 899 and 956. The Appellant does not rely on this error and the parties are agreed that these questions related to the provision of names and addresses of employees, the length of service of employees and the names addresses and telephone numbers of former employees since 1999. Here again the Appellant argues that there was an insufficient factual basis in the record before the Master to support this order. The Appellant also argues that these refusals should have been sustained as the questions were irrelevant and because the disclosure of such information was prohibited by the Personal Information Protection and Electronic Documents Act( 2000, ch. 5).

[8] The pleadings in any civil action form the terms of reference for discovery and relevance at discovery is broader than at trial. There is no requirement that the proposed questions be factually supported by the motion record and, once again, counsel for the Appellant was unable to cite any authority for that proposition. The applicable standard here is the "semblance of relevance" test articulated by Steele, J. in Kay v. Posluns (1989), 71 O.R. (2d) 238 (H.C.). As Master Albert found, the information relating to employees and former employees of the Appellant is relevant to paragraphs 99 to 106 of the Statement of Defence and paragraph 27 of the Reply and Defence to Counterclaim. These employees may have information relating to the 308.73 carats of diamonds that the Appellant alleges were never delivered to them. As such these questions are relevant and, with respect to questions 879 and 956, expressly authorized by Rule 31.06(2). This order was a discretionary one and, applying the proper standard of review, it cannot be said that Master Albert was clearly wrong.

[9] As for the Appellant's submission that the disclosure of this information would be prohibited by the Personal Information Protection and Electronic Documents Act( 2000, ch. 5) this ignores the express provision of section 7(3)(c) of that Act which provides, in relevant part:

(3) . . . an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is

(c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records.

At a minimum, the order of Master Albert is an order made by a court with jurisdiction to compel the production of information. Thus, this submission of the Appellant also fails.

[10] As a result, the Master's order is upheld and the Respondent is ordered to answer questions 879, 899 and 956.

The Order to Re-attend for Further Examinations for Discovery

[11] At the outset, the parties are agreed that the Master should not have ordered re-attendance as a result of the amendments to the pleadings as the Respondent made no such request before her. They are agreed that, if the order to re-attend is sustained, it should be in relation only to undertakings and refusals subsequently answered. I agree.

[12] Here again the Appellant argues that there was an insufficient factual basis in the record before the Master to support this order. In this regard, the Appellant relies on the decision of Master Beaudoin in Central Guaranty Trust Co. v. Beebe Estate, [1997] O.J. No. 4882 where he states at paragraph 7:

Rule 31.06 certainly contemplates only one oral examination for discovery. As to whether or not there is a right to further discovery, once again I am presented with conflicting authorities by counsel. The plaintiff relies on I.C.S. Construction Ltd. v. GKN Birelco Ltd., [1991] O.J. No. 597, (March 13, 1991), Doc. CLA 162/87 Forestell J. (Ont. Gen. Div.) whereas the defendants rely on Christie Corporation v. Alvarez (1994) 34 C.P.C. (3d) 92, a decision of Mr. Justice McNeely which distinguishes the J.C.S. Construction case. Upon reading these decisions, I am satisfied that there is no automatic right by one party to compel the re-attendance of another merely because the other party has complied with an undertaking or provided an answer after a discovery.

I believe the decision of McNeely J. gives some guidance in this regard in that he suggests the moving party must demonstrate why reattendance would serve a useful purpose. In this instance, I believe it would be helpful for the court to have, by way of affidavit, an indication of what areas need to be explored through further oral examination on discovery.

It is not sufficient to accept, as submitted by plaintiffs counsel, that the opposing party can object if counsel, on re-examination strays into areas previously responded to or into areas upon which he may not be entitled to re-examine.

[13] I accept that there is no automatic right by one party to compel the re-attendance of another merely because the other party has complied with an undertaking or provided an answer after a discovery. However, I reject the suggestion that in Central Guaranty Trust Co. v. Beebe Estate Master Beaudoin was propounding a general requirement that affidavit evidence is required before an order for re-attendance will be made. Indeed, Master Beaudoin expressly limited the scope of his suggestion when he said affidavit evidence would be helpful "In this instance". None of the other cases cited by the Appellant support such a general rule and counsel for the Appellant was unable to cite any cases where Central Guaranty Trust Co. v. Beebe Estate was interpreted to this effect. Indeed, the proper approach to the ordering of re-attendance was clearly identified by McNeely, J. in Christie Corporation v. Alvarez where he said at paragraph 4, "no general rules are possible and each case must be considered on its merits." In this case, after the completion of discoveries, the Appellant provided answers to ninety nine undertakings and twenty refusals. The decision to order re-attendance was a discretionary one and, applying the proper standard of review, it cannot be said that Master Albert was clearly wrong.

[14] As a result, the Master's order is upheld and the Appellant is ordered to re-attend for discovery arising from the answers to the undertakings and refusals.

Sunday, August 22, 2004

Article: Patients are denied the last rites under data protection law

I've heard of this happening in Canada, but it has not been widely reported on. The Telegraph has a very good article on the issues related to not providing patient religious affiliation info to hospital chaplains because of privacy concerns.

Patients are denied the last rites under data protection law

By Elizabeth Day
(Filed: 25/07/2004)

Thousands of terminally ill patients are being denied access to spiritual guidance from hospital chaplains because the Data Protection Act is being applied over-zealously.

The Hospital Chaplaincies Council has criticised several NHS Trusts for their "hysterical" refusal to disclose the religious backgrounds of their patients. The trusts claim that such information is "too sensitive" to share with chaplains.

Now many of Britain's 3,425 hospital chaplains are unable to offer spiritual succour - or perform the last rites in the case of Roman Catholics - unless patients ask to see a chaplain on admission to hospital. Chaplains are concerned that many patients going for routine check-ups will not give their consent and then be unable to change their mind should their medical condition deteriorate.

Read the rest of the extensive article here ...

From what I've heard informally, it'll be a lot worse for chaplains in Ontario once Bill 31 is implemented in November.

Article: Customer's data protection fears hinder Lloyds TSB's offshoring plans

It is not only in British Columbia where unions are using privacy legislation to prevent offshoring of data processing jobs:

Lloyds TSB in data protection battle over offshore outsourcing

18 August 2004 - UK bank Lloyds TSB has been threatened with legal action by its staff union over the transfer of call centre jobs to outsourced processing centres in India on grounds that the move breaches the Data Protection Act.

An unnamed customer is mounting the legal challenge, backed by The Lloyds TSB Union (LTU).

The union claims the bank is breaching the Data Protection Act by transferring customer financial data to overseas centres without their consent. LTU says according to European law, personal data can only be transferred outside the European Economic Area with the written consent of customers.

The government-appointed Information Commissioner is expected to decide on the union's case in the next few weeks.

Lloyds TSB announced in October last year that it was closing its customer contact centre in Newcastle, leading to the loss of 986 UK jobs, and would transfer the work to its operations in India. Additionally, in April this year, the bank's Scottish Widows division opened a new office in Bangalore India to pilot the offshoring of back office functions.

The union has been actively campaigning against the offshoring of jobs and says if the challenge is successful, it would have wider implications for the whole of the financial services industry.

Earlier this year British members of the European Parliament called for new data protection laws to prevent unauthorised access to customer data by offshore workers. The MEPs, backed by British trade union Amicus tabled plans for European regulations to prevent unauthorised access of personal details being processed abroad.

See also this article from Personneltoday.com:

Customer's data protection fears hinder Lloyds TSB's offshoring plans

Lloyds TSB's plans to transfer work to India are being challenged by one of the bank's customers on the grounds that they infringe legal requirements concerning data protection.

The case against Lloyds TSB is that India does not have the same stringent standards of data protection that are legally required by the Data Protection Act 1998.

European legislation requires that sensitive personal data can only be transferred outside of the European Economic Area with the express consent of customers.

India is not included on the European Union's list of countries that offer adequate levels of protection for personal data.

The government-appointed Information Commissioner is being asked to rule on whether Lloyds TSB is acting legally when transferring sensitive personal data abroad.

Steve Tatlow, assistant general secretary at Lloyds TSB Group Union, said: "This is an important case. If successful, it could force Lloyds TSB to drop its offshoring policy for fear of losing many customers.

"Concerns over data protection are yet another reason why Lloyds TSB should now listen to its customers and commit itself to the UK."

Incident: Highly Personal Information Found In Trash

These kinds of stories appear in the media all the time, but this one is particularly bad. The information chucked in the trash was from a collection/credit agency.

Highly Personal Information Found In Trash

10 Investigates has recovered personal information found behind a Columbus collection agency. It's confidential information on people from Ohio and across the country. Could it be personal information about you?

Top of a privacy lawyer's wish list

One of the things that you can get almost all privacy lawyers to agree on is that the current system of summarized findings does not provide the detail that lawyers are comfortable with basing their opinions on. At present, the Privacy Commissioner releases very brief summaries of findings that have been made in response to complaints under PIPEDA. (See the Commissioner's findings here.) They do not name the complainant and they do not name the organization complained about. But, more importantly, they are cleansed of any details that would tend to identify any of the parties, so that the resulting summary is relatively vague on details and also vague on analysis.

Some time ago, the Public Interest Advocacy Centre in Ottawa complained to the Commissioner about a number of large corporations. PIAC published all the complaints and related correspondence on their website (see PIAC's Privacy Page here). The "findings" of the Commissioner, nicely scanned are published and provide a great wealth of information about how the Commissioner approaches these complaints and also shows the significant degree of "back and forth" among the parties during the investigation process.

For individuals and corporations who are trying to figure out the details of compliance and their rights, the present findings do not provide a strong foundation for understanding. For lawyers advising clients on matters related to PIPEDA, the lack of detail may often result in vague advice or educated guesses by counsel. Even though the Commissioner is not bound by previous decisions, readers do rely upon the findings to determine how the Commissioner is likely to respond to a particular set of facts in the future.

PIPEDA is coming up for review in 2006 and it is expected that the deficiencies of the findings will be the subject of some debate. Most privacy lawyers are hoping that this will be considered in greater detail.

I also note that a number of prominent members of the Canadian privacy community have called for the Commissioner to "name names" in her findings. (See Michael Geist's "Name names, or privacy law toothless" and PIAC's letter to Commissioner Jennifer Stoddart.) This approach is favoured by some so that fully-informed consumers can vote with their feet and companies are appropriately shamed into compliance. I'm not 100% sure if I agree with this, but publicly naming companies would likely help in getting recalcitrant companies to take privacy more seriously.

Saturday, August 21, 2004

Article: Credit companies cool toward 'freeze'

The ability to freeze one's credit report is touted in a number of articles as the solution to ID theft. Is short, a consumer can lock his or her credit report so that it can only be released by a PIN given directly by the consumer. If credit grantor can't successfully get a credit report at the behest of an ID thief, no credit can be granted and no ID theft.

I have no idea if this is available in Canada, but you may be able to argue that PIPEDA would provide for this if you told all the consumer credit agencies that they do not have your permission to disclose your personal information except with your explicit consent, confirmed via a PIN or other tool. Most consumers have, via credit card agreements and others, given carte blanche to access credit reports, so you may not be able to revoke this.

Credit companies cool towards 'freeze'

By BRIAN BERGSTEIN
Associated Press

NEW YORK — Little by little, a weapon against identity theft is gaining currency — but few people know about it. It's called the security freeze, and it lets individuals block access to their credit reports until they personally unlock the files by contacting the credit bureaus and providing a PIN code.

Credit agencies were required to allow freezes, at least in California, thanks to a new state law. For more info, you can also check out http://www.fightidentitytheft.com/legislation_california_sb168.html

Friday, August 20, 2004

Privacy Presentations from the CBA Annual CLE Extravaganza

As promised a short while ago, I've posted the presentations from the CBA Annual CLE session on cross-border privacy issues. Many thanks to Simon Chester for compiling our three powerpoints into one coherent (and hefty) acrobat file.

Cross-Border Issues for Privacy Law Compliance in Canada, the US & the EU

Presented by the National Privacy Law Section and the National Business Law Section This panel will focus on issues facing multi-national organizations that seek to align their privacy law compliance procedures across jurisdictions. The panel will examine the approaches taken by multi-nationals in complying with the new Canadian laws, as well as requirements for Canadian companies doing business in the US and the EU.

Moderator: David M.W.Young, Partner, Lang Michener LLP (Toronto)

Speakers: Simon Chester, Partner, McMillan Binch LLP (Toronto)
Evelyn L. Sullen, Staff Counsel, Volkswagen of America Inc. (Auburn Hills, MI)
David T.S. Fraser, Associate, McInnes Cooper (Halifax)

Article: B.C. residents' health records will be secure with U.S. company, Collins says

The British Columbia finance minister has waded into the privacy/outsourcing debate to try to reassure the public that privacy will be protected if the BC government outsources medical records management to a subsidiary of a US company.

B.C. residents' health records will be secure with U.S. company, Collins says

Thu Aug 19, 8:52 PM ET

VICTORIA (CP) - The privacy of British Columbians will be protected if Victoria allows a U.S.-based firm to manage the province's medical records, says Finance Minister Gary Collins.

The government is considering giving the contract to the Canadian subsidiary of a company called Maximus.

"We are dealing with a 100 per cent Canadian subsidiary of the company," Collins said. "The entire board of directors are Canadian citizens.

"We also are working with the privacy commissioner but our number one issue is the security of people's private information and government will not sign a contract unless we're completely comfortable that British Columbia citizens medical records are completely private," Collins said.

More of the story can be found here.

Thursday, August 19, 2004

Comments welcome: PIPEDA and Canadian Privacy Law

I've noticed a large increase in traffic to this blog and I recevied some very favourable feedback at the recent annual CBA conference. I'd like to make this as useful and relevant as possible for readers (while keeping my day job).

Please feel free to leave comments on individual posts or general comments, suggestions, criticism, etc. Just click on "Click here to leave a comment or to view comments" at the bottom of each post. It's just that easy! If you want to comment privately, you can e-mail me at david.fraser @ mcinnescooper.com.

Article: Ontario to tackle address sharing

It looks like there'll be a comprehensive examination of private sector access to government databases following the well-publicised Impark issues:

Ontario to tackle address sharing

Privacy commissioner sought action for years

Parking ticket harassment highlighted policy

JORDAN HEATH-RAWLINGS
STAFF REPORTER

The minister of transportation and Ontario's privacy commissioner will meet soon to examine the complex system that allows more than 3,000 companies and organizations access to the addresses and other personal information of the province's residents.

Privacy commissioner Ann Cavoukian wants the government to limit the scope of the organizations that can access personal information, specifically those who use such information to chase down bad debtors.

The authorized request system, which allows certain organizations access to public information in the transportation ministry databases, came under fire this week after stories in the Star revealed that Imperial Parking (Impark) was giving personal information to its collection agency, Canadian Bonded Collection, Inc., to chase people who owed small debts on unpaid parking tickets. The collection agency was calling people repeatedly, sometimes twice a day, according to several people who told the Star they had been receiving the calls for months.

For the rest of the story from the Toronto Star: Ontario to tackle address sharing.

News Release Privacy Commissioner calls for further examination of transfer of personal information about Canadians across borders

Continuing the theme of cross-border data transfers, the federal Privacy Commissioner has just issued the following press-release:

News Release

Privacy Commissioner calls for further examination of transfer of personal information about Canadians across borders

Ottawa, August 18, 2004 - The Privacy Commissioner of Canada, Jennifer Stoddart, today calls for a greater dialogue between governments, the private sector and the public about cross-border exchanges of Canadians’ personal information. The Commissioner articulated this need in the Office’s submission to the Information and Privacy Commissioner of British Columbia about the privacy implications of the USA PATRIOT Act.

The Privacy Commissioner congratulates the B.C. Information and Privacy Commissioner, David Loukidelis, for leading this important inquiry.

"The growing frequency in which personal information is shared across borders in increasingly globalized interdependent economies has important privacy implications for Canadians," said Ms. Stoddart. "We have an obligation to protect the privacy rights of Canadians. We must have a balanced and reasoned approach to personal information protection."

Canadians expect that governments and the privacy sector will collaborate to protect against mismanagement of personal information. We must collectively seek a balance balance will be struck between the requirements of national security, the need for public safety and the conditions of an open and efficient economy.

In the submission, the Privacy Commissioner recommends practical measures for citizens, companies and governments to better manage the cross-border flow of personal information. Some measures include:

  • Citizens can lodge a complaint with the Privacy Commissioner or provincial and territorial commissioners, depending on the organization whose conduct has raised the concern if they feel that an organization subject to privacy laws has violated their privacy rights. Under the Personal Information Protection and Electronic Documents Act (PIPEDA), please request a copy of the Office’s Individuals Guide or visit http://www.privcom.gc.ca/information/02_05_d_08_e.asp (PDF).
  • Private sector organizations can comply with their obligations under PIPEDA or similar provincial legislation to protect customers’ personal information and to adopt appropriate safeguards. Under PIPEDA, organizations can request a copy of the Office’s Business Guide, or visit www.privcom.gc.ca/information/guide_e.asp (PDF).
  • Review by the federal government of PIPEDA and the Privacy Act to ensure that the highest standards of privacy protection relating to cross-border flow of personal information are met.
  • Enhanced federal/provincial/territorial cooperation in privacy protection and the promotion of a multi-stakeholder dialogue (private sector, civil society and other institutional partners) on privacy issues of national significance.

Along with this release, the Commissioner has also issued a fact sheet on cross-border personal information transfers:

What Canadians Can Do to Protect Their Personal Information Transferred Across Borders

Canadians benefit from a reasonable standard of protection of their personal information. They do not want to see that protection vanish when personal information about them is transferred across borders, and they do not want to see governments or organizations in Canada transfer their information across borders if it will be put at risk of inappropriate disclosure, whether for security or for commercial purposes.

The extent to which personal information about Canadians should be made available to foreign governments is a complex issue of continuing concern. Nonetheless, Canadians can take some measures to protect their personal information from inappropriate disclosure to foreign governments:

  • By bringing complaints about the handling of personal information (especially outsourcing arrangements) to the Office of the Privacy Commissioner of Canada or provincial and territorial commissioners, depending on the organization whose conduct has raised the concern;
  • By relying on the "whistle blowing" provisions of PIPEDA if a US based affiliate of a Canadian organization seeks to reach into Canada to obtain personal information held in a Canadian database in order to comply with a US legal order. These provisions would protect the confidentiality of employees who notify the Privacy Commissioner of Canada that a company intends to transfer information abroad in violation of PIPEDA. The provisions also protect employees against retaliation by the employers, such as harassment, dismissal or demotion;
  • By letting organizations in Canada that collect personal information about Canadians know that there is a concern about personal information being processed outside Canada;
  • By taking advantage of the information rights existing under PIPEDA and provincial private sector statutes which require organizations to follow fair information practices, notably obtaining consent for information use;
  • By reminding companies in Canada of their legal obligation to introduce appropriate security measures to prevent their subsidiaries or affiliates in another country from secretly obtaining access to personal information held in Canada to comply with a court order made in the foreign country;
  • By raising their concerns about the potential for excessive disclosure of personal information to foreign governments or to foreign companies with their elected representatives; and
  • Generally, by being more attentive to what may be happening to their personal information when it crosses borders and to the importance of clear and enforceable international standards on information sharing in democratic countries.

What Companies Do to Protect the Personal Information of Canadians Transferred Across Borders

Companies that are subject to PIPEDA or similar provincial legislation must comply with that legislation. It is important for the management of organizations subject to such laws to understand their responsibilities under the laws — for example, the obligations in PIPEDA to ensure the security of personal information. PIPEDA requires personal information to be protected by security safeguards appropriate to the sensitivity of the information.

Corporate leaders increasingly recognize that maintaining a high level of public trust in how personal information is handled is vital to achieve customer loyalty. It is also abundantly clear to corporate leaders that personal information holdings are key business assets that need to be protected against misuse.

And, finally, the Federal Commission has released a submission to the BC Privacy Commissioner in response to his request for submissions about the USA Patriot Act. (See previous blog entries: BC Responds to USA Patriot Act, Campaign in BC to Prevent Outsourciing and Labour groups raise outsourcing privacy fears.) The Commissioner's submission is available at http://www.privcom.gc.ca/media/nr-c/2004/sub_usapa_040818_e.asp

Wednesday, August 18, 2004

Followup story - Parking lot owners risk losing database

The Star has a followup article to a piece I wrote about earlier (see blog entry):

Parking lot owners risk losing database

Limits to collecting fines, minister says
Contracts could be cancelled if abused

ROB FERGUSON AND ROBERT BENZIE
QUEEN'S PARK BUREAU

Parking lot owners who use a government database to track down and harass motorists over private parking tickets risk having their access cut off, Transportation Minister Harinder Takhar says.

While the government has signed agreements with parking lot operators allowing them to pay an average of $10 to search a database for each licence plate, there are limits on how persistent operators can be in efforts to collect unpaid fees.

"We will enforce those agreements to the teeth," Takhar said yesterday at Queen's Park.

Yesterday's Star also has the following story, on the same topic:

Sorry, says parking firm

Debt collection policy to be reviewed
Aggressive phone calls sparked furor

KERRY GILLESPIE
CITY HALL BUREAU CHIEF

The parking firm that sparked a storm of controversy over the aggressive way it collects unpaid tickets has backed down.

Just two days after a story in the Star, Imperial Parking announced it will conduct a full review of its debt collection practices, which have included people being called multiple times a day, for months on end.

I had an interesting conversation with a process server on the plane back from Winnipeg and was intersted to hear about the access they have to government databases, such as those from MTO. I think a wider follow-up would be in order, looking at what private sector firms have access to revealing personal information from public sector sources.

Article: The Privacy Dilemma

Computerworld, once again, has a useful privacy-related article that encourages businesses to adopt customer-friendly practices:

The Privacy Dilemma

AUGUST 16, 2004 (COMPUTERWORLD) - Personalization is only as good as the data it's based on: The more you have, and the better it is, the more relevant the personalized interaction. The problem is, privacy concerns have customers increasingly shy about sharing. This, coupled with legislative handcuffs such as the "do not call" initiative, means businesses have to figure out ways to maximize each interaction with a customer and then securely develop the relationship.

"Companies have to avoid the 'marketing gone wild' mentality, as every interaction is a reflection on brand," says analyst Elana Anderson at Forrester Research Inc. She recommends that they focus on building customer relationships based on proactive service, leveraging personalization technologies on inbound channels to maximize the interaction when a customer makes contact. "It's the reason marketing should own the contact center; if messages are done right, they're service-oriented instead of the hard sell," she says.

I'd encourage readers to take a look at the rest of the article, available here.

Simon Chester's Op/Ed piece on outsourcing and privacy

Monday morning's National Post contained an opinion piece by Simon Chester, which conveniently coincided with his presentation to the Canadian Bar Association in Winnipeg on cross-border privacy issues. The piece does not appear to be generally available on the National Post's site, but it is on Simon's firm's site: http://www.mcmillanbinch.com/Upload/News/SChester_National_Post_081604.pdf. Whether privacy is the big outsourcing bogeyman remains to be seen, but there does appear to be a growing concern about personal information being beamed around the world.

Regardless of the legal and contractual restrictions attached to the data as it crosses frontiers, I think John and Jane Public (if they know about it) are nervous at the idea and for some businesses, perception is as important as reality.

I'll also take the opportunity to throw in a shameless plug for Nova Scotia, a great nearshore outsourcing destination where service providers get great privacy advice and are easily within the reach of US regulators and the Canadian Privacy Commissioner. For more info, check out "The Nova Scotia Business Case."

(Old) Survey: Office-workers give away passwords for a cheap pen

I made a reference to an illuminating survey in a presentation a little while ago, but forgot where I heard it. Well, if you're checking my sources, here it is:

Office workers give away passwords for a cheap pen

By John Leyden
Published Friday 18th April 2003 08:24 GMT

Workers are prepared to give away their passwords for a cheap pen, according to a somewhat unscientific - but still illuminating - survey published today.

The second annual survey into office scruples, conducted by the people organising this month's InfoSecurity Europe 2003 conference, found that office workers have learnt very little about IT security in the past year.

If anything, people are even more lax about security than they were a year ago, the survey found.

Ninety per cent of office workers at London's Waterloo Station gave away their computer password for a cheap pen, compared with 65 per cent last year.

Men were slightly more likely to reveal their password with 95 per cent of blokes, compared to 85 per cent of women quizzed, prepared to hand over their password on request.

The survey also found the majority of workers (80 per cent) would take confidential information with them when they change jobs and would not keep salary details confidential if they came across them.

If workers came across a file containing everyone's salary details, 75 per cent of workers thought they would be unable to resist looking at it, again up from 61 per cent in 2002. A further 38 per cent said they would also pass the information around the office.

Naughty.

Even more here ...

Ok. Repeat after me: "I will not exchange my company's security for a cheap pen." (At least hold out for a Montblanc.)

Report from the CBA in Winnipeg

I just returned from a very good few days at the Canadian Bar Association’s annual get-together in Winnipeg, Manitoba. There were quite a few privacy-related events during the two-day substantive program.

The first event was more administrative than anything. It was the meeting of the CBA Privacy Law subsection. The meeting was chaired by Brian Bowman, the section secretary who is also a privacy lawyer at Pitblado in Winnipeg. We reviewed the privacy-related resolutions passed by the CBA general meeting and the extensive activity undertaken by the section during its first year. (I’m told that it has an unprecedented level of activity for a brand-new section.) The next year should be just as busy.

David Young, who chairs the Advocacy and Government Relations subsection led a discussion of the contribution that can be made when the Personal Information Protection and Electronic Documents Act (Canada) comes up for full review in 2006. I expect there will be no shortage of suggestions. Ann Goldsmith, legal counsel to the Office of the Privacy Commissioner mentioned they have many suggestions already, with deemed consent for due diligence review in the course of sales of businesses near the top of their list.

Cross-border privacy issues

The second event was also on Monday: a panel discussion of cross-border privacy issues. Moderated by David Young of Lang Michener, the panel was composed of Simon Chester of McMillan Binch, Evelyn Sullen of Volkswagen of America Inc. and me. The presentation that I gave is available here and I’ll try to get permission to post Simon and Evelyn’s powerpoints.

Simon Chester began with a presentation on European privacy law, using three European women as illustrations of the law’s development and enforcement: (a) Bodil Lindqvist, (b) Naomi Campbell (see Campbell v. MGN Limited, [2004] UKHL 22) and (c) Princess Caroline of Monaco. The first example demonstrates how some authorities in Europe are being much more aggressive in enforcing the Data Protection Directive, including against clearly non-commercial and “domestic” use of personal information. The latter two examples show how the balance between privacy and freedom of the press are moving clearly towards privacy in Europe. (We will not likely see any of the Campbell/Caroline examples in Canada soon, as PIPEDA specifically does not apply to information collected for “artistic, literary or journalistic purposes. Any similar complaints against paparazzi will have to be grounded in the independent tort of “invasion of privacy”, which is being slowly developed in the Canadian provinces that do not have a statutory tort.) Interested readers should take a look at Simon's comprehensive paper, which is available here.

Evelyn’s presentation included an overview of the sectoral laws in the United States (COPPA, HIPAA, GLB, etc.) and a look at Volkswagen USA’s experience in addressing PIPEDA and the European privacy rules. It was estimated that VW spent about $500K in complying with PIPEDA, including postage for sending a “grandfathering/opt-out” letter to all customers in their database.

One of the questions posed was whether to adopt a fragmented privacy management system within an international company or should one try to develop a policy that complies with all legal regimes in which the company operates. Much of what was discussed in the international context is also applicable within the Canadian federal system. We are dealing with a number of privacy regimes in this country, including the present 100% overlap between federal and provincial laws in Alberta and British Columbia. (I am told that the Order-in-Council to declare AB and BC’s laws “substantially similar” to PIPEDA is on the agenda for the next meeting of the federal cabinet.) We also have an interesting overlap in the health privacy arena. Alberta, Saskatchewan and Manitoba each have provincial health information laws and none of them are expected to be declared substantially similar. This means that physicians in private practice, who are engaged in “commercial activities”, must comply with PIPEDA and with the local health information law. In most cases, the healthcare professionals can design their programs to comply with the most demanding individual rules and principles. In some cases, this is not always possible as some contradictions may appear between the laws.

Update on Canada’s Privacy Laws

On Tuesday, Brian Bowman moderated a panel of representatives from various privacy commissioners’ offices. On the panel was Heather Black, Assistant Privacy Commissioner of Canada; Brian Loukidelis, Information and Privacy Commissioner from British Columbia, Barry Tuckett, Manitoba’s Ombudsman and Mary O'Donoghue, legal counsel to the Information and Privacy Commissioner of Ontario. Each of the panelists gave an update on developments in their respective jurisdictions, beginning with Heather Black’s overview of the roll-out of PIPEDA. Heather made an interesting distinction between systemic and more accidental violations of PIPEDA. Systemic violations are those which demonstrate a systemic problem, such as a lack of awareness, policies or procedures. Accidental ones are simply where a company’s established – and otherwise compliant – procedures and policies are not followed, resulting in a breach. Both are problems, but the balance of complaints is leaning further away from systemic breaches. Heather also mentioned that the number of complaints that are “well founded” has declined (to the end of 2003) to around 20% from 45% a couple of years before.

Mary O'Donoghue, from the Ontario Information and Privacy Commissioner’s Office, provided a very good and brief overview of the Personal Health Information Protection Act, 2004.

At the moment, I’m a little jetlagged. I’ll try to write more about the conference when I’ve got a few more minutes and once I’ve heard back from my co-panellists about posting their materials.

Tuesday, August 17, 2004

Article: TheStar.com - Parking firm's tactics "outrage" privacy head

The Ontario Information and Privacy Commissioner had a few choice words about the Ontario government's practice of selling registry of motor vehicle info to private parking lots:

TheStar.com - Parking firm%27s tactics %27outrage%27 privacy head:

"Improper use of government data, Cavoukian says

Readers recount similar tales of ticket harassment

It is "completely outrageous" that a parking lot operator used a government database to hound a citizen over a parking ticket" says Ontario's information and privacy commissioner. "It is unbelievable. You do not use information you obtain from the government to harass a member of the public" Ann Cavoukian said in an interview after reading of the plight of Peter Thompson in yesterday's Star."

Monday, August 16, 2004

NTSB responds to comments about auto black boxes

An OP/Ed piece in today's USA Today is written by Ellen Engleman Connors, the chair of the US National Transportation Safety Board. She writes that the NTSB is not interested in privacy invasive "black boxes" that record conversations or video. Instead, they want to mandate devices that record ten second loops of "objective data" from vehicle systems. See the comment via Yahoo:

Devices can improve safety

The National Transportation Safety Board (NTSB) is sensitive to the privacy concerns drivers may have about event data recorders (EDRs), but such concerns need not apply to the types of recorders we recommended this month. Our focus is solely on safety investigative purposes - data that is an objective, non-human witness to accidents. EDRs have the potential to improve the accuracy of crash reconstructions and design better occupant-protection systems.

Our recommendation concerns EDRs that continuously record such data as vehicle and engine speed, brake status, throttle position, seat-belt status and air-bag deployment for about 10 seconds, constantly erasing the older data. We do not need 24-hour monitoring EDRs. The devices do not record such "privacy" items as passenger conversations, nor do they record video images.

Canadian Bar resolves to support privacy

The Canadian Bar Association, meeting in Winnipeg, unanimously passed two privacy-related resolutions over the weekend. I'll post the full text of the resolutions when I have a chance, but there is some coverage in Saturday's National Post:

Canadian Bar Association to debate balance between privacy, security

Michelle Macafee
Canadian Press

WINNIPEG (CP) - Members of the Canadian Bar Association want the federal government to strengthen privacy laws and ensure that any collection of personal information for security reasons is 'subject to reasonable and attainable objectives.'

Delegates attending this year's annual meeting, which begins Saturday in Winnipeg, will debate two resolutions prepared by the association's privacy law and criminal justice sections. "

I expect a release will be soon posted here: http://www.cba.org/CBA/News/2004_Releases/default.asp

Amendment to the Federal Court Rules

I just attended the meeting of the Canadian Bar Association Privacy Law Subsection (this year in sunny Winnpeg), where part of the discussion concerned the review of PIPEDA that will take place in 2006. I spoke with a lawyer from the Office of the Privacy Commissioner to suggest that PIPEDA be amended to require notice to the Commissioner when someone takes a complaint to the Federal Court. (I gather that the Aeroports de Montreal decision caught the Commissioner unawares. See my comment at "Focus on Privacy - PIPEDA and the Unionized Workplace").

Lo and behold, I was informed that the rules of the Federal Court are being amended to require such notice (see the Canada Gazette notice at http://canadagazette.gc.ca/partI/2004/20040731/html/regle2-e.html to require service of the application on the Commissioner.

Canada Gazette: "As a result of the enactment of the Personal Information Protection and Electronic Documents Act, Rule 304(1)(c) is amended by section 16 to stipulate that every application to the Federal Court for review of a matter that is the subject of a complaint shall be served on the Privacy Commissioner within the time period prescribed in Rule 304. "

Anyone wanting to comment has sixty days from July 31, 2004 to do so.

Friday, August 13, 2004

BC Commissioner's report on outsourcing delayed

I guess this is a good sign ... there has been so much interest in the BC Information and Privacy Commissioner's call for comments on the effect of outsourcing on privacy that he has been forced push back the anticipated delivery time of his report.

Coverage here:

B.C. privacy commissioner's report into U.S. Patriot Act delayed

"VICTORIA (CP) -- B.C.'s information and privacy commissioner has delayed the release of his advisory report on how the U.S. Patriot Act could affect Canadians because of the sheer volume of responses he's gotten during his inquiry.

David Loukidelis said in a news release Tuesday the report won't be ready until mid-September. "

Wednesday, August 11, 2004

Registration - BugMeNot.com

Many people -- me included -- find compulsory registration for websites to be more than an annoyance. Sites like the Washington Post and the LA Times only provide access to content to those who have gone through a registration process, which often "costs nothing and will only take a moment." It does take time and I almost instantly forget my snazzy new username and password, so I have to go through the whole process again to read another article sometime later. The questions may also be pretty instrusive and perhaps a violation of Canadian privacy laws.

A website, called Bugmenot.com, has a handy database of usernames and passwords for many of news sites, catering to those who don't like sharing personal information only to read an article. The service is free, but they have a new registration process for certain users. Take a look at their clever registration form at BugMeNot.com:

To help us create a "better online experience" for our visitors we require certain types of users to register.

If you are an employee, partner, affiliate or legal representative of any site which enforces compulsory user registration then we require you to complete our registration process. It costs nothing to register and will only take a moment.

Registration must be completed prior to using any resource of bugmenot.com including viewing pages or emailing the site operators. Failure to do so constitutes a breach of our Terms of Use and non-authorization to use this site. Server logs don't lie.

Tuesday, August 10, 2004

USA Patriot Act and outsourcing

ITAC, the Information Technology Association of Canada, has entered the fray over the privacy risks of outsourcing Canadian services to US companies. The Globe and Mail has an article on the ITAC submission to the BC Privacy Commissioner:

U.S Patriot Act a 'red herring,' ITAC says

TORONTO, Aug. 6 — The Information Technology Association of Canada has called the U.S Patriot Act a "red herring" when it comes to concerns about privacy of Canadians.

In a a submission filed with the Information and Privacy Commissioner for British Columbia, ITAC argued that outsourcing is a beneficial force for governments and their taxpayers and citizens. It also explains that the U.S. Patriot Act is not a logical vehicle to access Canadian personal information held by U.S.-linked outsourcing companies in the performance of Canadian outsourcing contracts....

Monday, August 09, 2004

IPC - Health Information Protection Act - Frequently Asked Questions

The Ontario Information and Privacy Commissioner has just released a very useful list of frequenly asked questions related to the Personal Health Information Protection Act (Bill 31 or PHIPA). A good starting point for anyone who wants to understand this complicated statute ...

IPC - Health Information Protection Act - Frequently Asked Questions:

"Note: This FAQ provides a general overview of the Health Information Protection Act, 2004, S.O. 2004, c.3.. This document does not include references to the Regulations, since currently there are no Regulations under the Act. As such, this document should be read in conjunction with the Act and any Regulations that will be made under the Act. The information contained on this web page is for general reference purposes only and should not be construed as legal advice. You should consult with your own solicitor for all purposes of interpretation."

Thursday, August 05, 2004

Incident: Identity theft alert for CSU students and staff

From the "no good can come from this" department: The auditor of California State University lost a hard-drive, containing 23,000 names and social security numbers. More info here:

KSBY - Identity theft alert for CSU students and staff:

"A warning is going out to thousands of California State University students and graduates, as a computer hard drive belonging to the CSU auditor goes missing.

The hard drive was either discarded or stolen in late June in Long Beach and contained personal information, including 23,000 names and social security numbers, 13,000 of which are affiliated with Cal Poly."

Wednesday, August 04, 2004

Article: Australia's new Commissioner to take the soft touch

Australia's new privacy commissioner, Karen Curtis, is planning to take a more business-friendly approach to her position than her successor.

NEWS.com.au | Privacy boss tips soft option (August 3, 2004):

" Simon Hayes
August 3, 2004

AUSTRALIA'S new Privacy Commissioner, Karen Curtis, has tipped a light-touch approach to regulation, ruling out the get-tough approach of her crusading predecessor, Malcolm Crompton.

The former Australian Chamber of Commerce and Industry executive is pushing a softly-softly strategy to get businesses to comply with the Privacy Act, warning that regulations 'impact disproportionately' on small business.

'For the most part businesses have adopted a culture of compliance, especially in big business,' she said. 'I'm certain there has been an attitude change.

'For small businesses covered by the legislation, it is harder to comply because of the call on their resources.'

The Privacy Act which came into force for big businesses in December 2001 and some small businesses in December 2002 has restricted the way industry uses and stores personal information. "

The full text of the article is available here.

US NTSB investigators recommend mandatory "black boxes" in new cars

An article in SFGate.com reports that NTSB investigators of a fatal crash (10 killed, 63 injured) are recommending that "black boxes" be made mandatory in passenger vehicles. The majority of new vehicles have "event data recorders", which record data related the last few seconds before airbag deployment. Most drivers are not aware that their vehicles have these installed and privacy advocate David Sobel (of EPIC) has some things to say about that. As is often the case, the good folks at Slashdot.org have some things to say on this topic:

"http://slashdot.org/article.pl?sid=04/08/04/0240205
Posted by timothy on Wednesday August 04, @05:40AM
from the we-know-what-you-did-last-summer dept.
linuxwrangler writes "Officials at the National Transportation Safety Board are recommending the government require data recorders in all passenger vehicles. David Sobel of EPIC says his group has privacy concerns - especially when drivers are unaware of the presence of the devices. Auto black-boxes have been covered here before."

See also my previous posts on vehicle black boxes: here and here.

Tuesday, August 03, 2004

Task Force recommends sharing personal health information with police in Newfoundland

The Newfoundland governnment established a task force in December 2003 to address the abuse of OxyContin (aka Hillbilly Heroin). The Task Force has released its report , which notably includes recommendations about information sharing between healthcare professionals and the police where abuse is suspected. The Task Force reccomends that existing monitoring programs be expanded and that legislation be passed to allow sharing information with law enforcement and professional regulators:

46) The Task Force recommends that the Provincial Government make the necessary legislative changes to the Medical Act to permit the release of appropriately screened information sharing from MCP [Medical Care Plan]and the NLPDP [Newfoundland and Labrador Prescription Drug Plan] to law enforcement agencies in the province, when there is a reasonable belief of fraudulent or criminal activity. The results of this information sharing should be evaluated to determine its effectiveness.

In addition, the Provincial Government should consider laying the framework for a realtime monitoring program. This program is already built into the current proposal for the Newfoundland and Labrador Pharmacy Network. The proposed Pharmacy Network is the second component in the development of the Health Information Network and Electronic Health Record for the province. It is an information system that will create individual prescription profiles for everyone who receives medications in the province. Extensive consultations with over 800 stakeholders including health care professionals from many different disciplines (e.g. physicians, pharmacists, social workers, and nurses), regional health boards, regulatory bodies, and the DHCS, informed the work of the Project team.

Pharmacies in the province maintain computerized medication histories for patients; however, these histories are fragmented across all pharmacies, hospitals, and physicians that patients use. The proposed pharmacy network will help health care providers make better-informed and timely decisions about each patient’s care. The network will provide tools and processes to support electronic prescribing, medication dispensing, compliance monitoring, research, and policy development. Increased access to, and use of, appropriate medication information may enhance the quality of care, improve patient safety, facilitate accountability, and promote the cost effective use of medications.

The Pharmacy Network will provide health care providers with the opportunity to deliver better patient care and provide increased patient safety.

It is recognized that the collection of this information is only one step toward addressing the problem. Legislation will be required to ensure complete submission of data by pharmacies, allow for reporting to the police of individuals who fail to respond to other interventions, and to ensure that physicians identified as having concerning prescribing patterns are thoroughly investigated. Human resources will be required to support such a monitoring program, so that the information collected is acted on in a timely and appropriate manner.

Here is the provincial government's press release on the topic:

OxyContin Task Force report released:

"August 3, 2004 (Health and Community Services)


OxyContin Task Force report released

Greater education and public awareness, improved mechanisms for information sharing and stronger collaboration among the medical and policing communities are some of the findings and recommendations outlined in the final report from the OxyContin Task Force. Elizabeth Marshall, Minister of Health and Community Services, joined her colleagues Tom Marshall, Minister of Justice and Attorney General, and Tom Hedderson, Parliamentary Secretary to the Minister of Education, today in releasing the report.

"The misuse and abuse of prescription drugs, like OxyContin, is complex and addressing the problem will require more work with our partners," said Minister Elizabeth Marshall. "I would like to thank the task force members for their dedication, contributions and continued efforts. All of the recommendations put forward will be given serious consideration."

The task force final report outlines areas in which OxyContin is most prevalent in the province, including rising access to the drug among adolescents, an increase in the number of prescriptions and increased criminal activity to access OxyContin. It also states there is no mechanism for sharing information with police when double-doctoring is suspected.

"Our recommendations reflect the information its members have gathered from professionals, community groups and individuals directly affected by this drug," said Beverley Clarke, chair of the OxyContin Task Force. "The task force believes a comprehensive approach will help address the numerous issues arising from the misuse and abuse of OxyContin and other narcotics. A collaborative effort is necessary to achieve and sustain long-term results."

The report offers 50 recommendations including the need for further education and prevention initiatives, additional treatment options, harm reduction strategies and legislative amendments.

Government intends to act immediately on several recommendations including the implementation of tamper-resistant prescription pads, continuing education for health professionals and youth and establishing provincial guidelines for methadone treatment. Other recommendations will require further analysis added Minister Elizabeth Marshall.

The Department of Justice supports recommendations relating to policing including continued focus on law enforcement training and allocation of police officers. "Policing plays a significant role in drug prevention, enforcement and investigation," stated Minister Tom Marshall. "The Department of Justice remains committed to providing officers with the proper training to strengthen the fight against not only OxyContin abuse and related crimes, but for all controlled substances."

"The long-term strategy for drug abuse prevention and education in schools will be developed as part of the Department of Education's Safe and Caring Schools Initiative," said Tom Hedderson. "This initiative, through interagency cooperation, provides leadership to schools on matters relating to substance abuse, violence and other health and safety issues."

The Government of Newfoundland and Labrador established the task force in response to concerns about OxyContin abuse put forth from law enforcement, health professionals, community advocates and the media. The task force was a collaborative partnership of the Departments of Health and Community Services, Education and Justice.

The final report of the task force is available on-line at . http://www.gov.nl.ca/health/publications/.

See additional coverage from the CBC here: CBC News: Give police medical info to curb 'hillbilly heroin': Report.

Monday, August 02, 2004

CBC Feature: Access and the database-ization of North America

The Canadian Broadcasting Corp's "The Current" is spending the holiday Monday focusing on privacy issues. The show begins with an interview with Michael Geist, continues with an interview with a BC PI (whose name I can't recall) and also has a dicussion of Privacy International's Big Brother Awards (by first and second posts on this topic and the official award announcement). I understand the transcript and real audio will be made available online tomorrow. If that is not the case, leave me a comment below and I'll try to fix the problem.

The Current 02/08/04 - Access and the age of 'database-ization' of North America: how much information about you is actually out there?

Addition: Thanks to an e-mail from Simon Chester, I can report that the combined transcript/Real Audio recording of the show is now available at http://www.cbc.ca/thecurrent/2004/200408/20040802.html. Also, the PI whose name I didn't catch is Jim Thomason, VP of the Private Investigators Association of British Columbia.