Monday, January 31, 2005

Another university hacked; personal information breached

Here goes another one ....

The UCSD Guardian Online: Hackers breach Extension computers:

"Campus administrators detected a low-level breach of computers within the UCSD Extension network, which has stored more than 4,800 files of students' personal information.

"This was a very unfortunate incident," UCSD Extension Marketing Director Monica Doyle said. "Universities are getting hacked into all the time now - that's why it's important we have really good security."

A university investigation into the breach, which administrators discovered on Nov. 6, revealed that hackers did not access any of the files on affected computers. The files contained full names, social security numbers and credit card information for students and alumni.

"This breach was used to store music and DVDs," Doyle said. "There is no evidence that any personal records were accessed."

Pursuant to state law, administrators notified individuals affected by the breach of the incident and advised them to place fraud alerts on their credit cards to avoid identity theft. The law requires companies and state agencies to notify individuals if their personal information is electronically compromised...."

US health privacy law affects research recruitment

A study being released in the Annals of Epidemilogy reports that HIPAA is having a dire impact upon research. Not surprisingly, one of the big problems is that hospitals and universities are being inconsistent in the application of the new law.

U.S. Newswire : Releases : "Privacy Rule Cuts Research Recruitment By More Than Half...":

"PITTSBURGH, Jan. 31 /U.S. Newswire/ -- The Health Insurance Portability and Accountability Act (HIPAA) designed to enhance patient confidentiality by restricting access to medical records is slowing the progress of critical biomedical research, according to an editorial published in the February issue of the journal Annals of Epidemiology. In perhaps the first quantitative study of recruitment trends following the rule's implementation in April 2003, Roberta B. Ness, M.D., M.P.H., reports a significant "chilling effect."

Dr. Ness, professor and chair of the department of epidemiology at the University of Pittsburgh's Graduate School of Public Health (GSPH), documented trends in recruitment of research subjects to the Prenatal Exposures and Preeclampsia Program Project (PEPP), an ongoing prospective study of women followed throughout pregnancy at the Magee-Womens Hospital of the University of Pittsburgh Medical Center, for which she is a co- investigator. The ultimate aim of the study is to determine the cause of preeclampsia, a devastating complication that affects up to seven percent of first pregnancies and can be fatal for mother and baby.

The first phase of the PEPP study took place prior to HIPAA implementation from 1997 to 2001, with an average of 12.4 women being recruited each week, writes Dr. Ness, who also is chair of the policy committee for the American College of Epidemiology. After HIPAA, due to restrictions on researchers' ability to identify potentially eligible subjects, recruitment fell to an average range of 2.5 to 5.7 women a week.

Inconsistencies among academic institutions concerning interpretation of HIPAA regulations remain a potent threat to a wide range of clinical and biomedical research studies, she said. The University of Pittsburgh's Institutional Review Board (IRB), for instance, at first disallowed waivers of the rule. Investigators may seek a waiver to allow them easier access to health information protected as private under HIPAA, but waiver criteria vary among universities. In Pittsburgh, a waiver was granted in 2003 and rescinded in 2004.

"Recruitment with a HIPAA waiver decreased by half, and recruitment without a HIPAA waiver fell by half again," said Dr. Ness.

Internal university efforts continue to resolve these kinds of conflicts for researchers, but modifications to the rule itself would go a long way toward standardizing the way institutions view it, Dr. Ness said, adding that the University of Pittsburgh is not alone in its more conservative interpretation of the HIPAA rule.

"The post-HIPAA era brought an unwillingness on the part of the University of California system to continue its 16-year-long rapid cancer case reporting relationship with the California State Cancer Registry," she said. "For well over a year, researchers were barred from access to large numbers of recently diagnosed cancer patients in a case that also briefly engaged the state's court system. Fortunately, the University of California reversed its stance."

Still, concern continues among many researchers, Dr. Ness said. The American College of Epidemiology, on whose board Dr. Ness serves, and the Association of American Medical Colleges have called on the U.S. Department of Health and Human Services (HHS) to address the issue.

"An HHS advisory committee has proposed HIPAA modifications that include harmonizing HIPAA with the common rule that determines other IRB activities, among others," she said. "We can only hope that the new Secretary for Health and Human Services will adopt these modifications."

Canadian Marketing Association receives funding to study privacy

The CMA has received $50,000. from the Office of the Privacy Commissioner as part of its contribution program:
DMNews.com | News | Article:

"The Privacy Commission of Canada awarded funding to the Canadian Marketing Association to undertake a study on privacy best practices for business, the association said last week.

The CMA will receive $50,000 (Canadian) to conduct the research.

The association will develop methods to help businesses better handle private consumer information and comply with Canada's Personal Information Protection and Electronic Documents Act, the CMA said.

The CMA will look at effective data management practices in the industry and develop guidelines for businesses. Later, the CMA will research the role of the chief privacy officer at businesses and also identify privacy issues and concerns for small businesses."

OSFI on the case of the CIBC faxing debacle

The federal banking regulator, the Office of the Superintendent of Financial Institutions is also investigating the CIBC faxing fiasco, according to the Globe and Mail:

The Globe and Mail: OSFI to review CIBC faxing debacle:

"Canada's top financial industry regulator is looking into a faxing debacle at Canadian Imperial Bank of Commerce in which confidential information for dozens of customers was accidentally sent to a scrap-yard operator in West Virginia.

The Office of the Superintendent of Financial Institutions, the federal government body charged with overseeing the banking sector, is reviewing the incident and has held discussions with CIBC officials to make sure the problem has been dealt with properly, according to a letter from federal Finance Minister Ralph Goodale.

'You may be interested to know that the Office of the Superintendent of Financial Institutions is . . . examining this issue and has been in contact with CIBC officials to assess whether the bank is taking appropriate action to resolve this matter,' Mr. Goodale stated in an e-mailed letter to one CIBC investor...."

Update: April 18, 2005 - PIPEDA and Canadian Privacy Law: Privacy Commisioner of Canada releases her report on the CIBC faxing incidents

Sunday, January 30, 2005

Canada moves to counter privacy threat posed by U.S. Patriot Act

According to the Canadian Press, the Federal Government is in the final stages of taking contractual steps to limit the access of American authorities to personal information of Canadians. It is worth noting that this appears to apply only to future contacts and that the government is content to include blocking clauses in agreements with contractors, rather than amending the Privacy Act, as has been done in British Columbia:

Yahoo! News - Canada moves to counter privacy threat posed by U.S. Patriot Act:

"OTTAWA (CP) - The government will revamp the wording of future federal contracts with the aim of countering U.S. powers, granted under anti-terrorism laws, to tap into personal information about Canadians.

The move is intended to prevent the U.S. Federal Bureau of Investigation from seeing sensitive Canadian data the government supplies to American firms doing business with federal departments in Ottawa.

The government has also asked all agencies and departments to conduct a 'comprehensive assessment of risks' to Canadian information they release to U.S. companies carrying out work under contract.

The U.S.A. Patriot Act, passed following the Sept. 11, 2001 terrorist attacks, gave the FBI broader access to records held by firms in the United States.

The FBI can apply to a U.S. court to have a company disclose records, including information about Canadians, to assist with investigations involving prevention of terrorism or espionage.

Privacy Commissioner Jennifer Stoddart says that if a federal institution hires a U.S. company to process personal information about Canadians, then American laws apply to the data if the work is being done south of the border.

The federal Treasury Board leads a working group that is now busy finalizing special clauses to be used in future business proposal requests and contracts.

The group is consulting with Stoddart's office on clauses 'that we believe to be fundamental' to include in future request proposals and contracts, says a federal notice recently circulated to departments...."

Students crack RFID security

The New York Times is reporting that a group of researchers have managed to crack the most prevalent impelementation of RFID as a security device. They can read your chip/card while standing next to you in the elevator, crack the keys and, less than an hour later, replicate your chip or card.

While the threat remains theoretical, this has significant repurcussions for owners of vehicles that use RFID immobilizers, pay-at-the-pump systems and facilities that use RFID access cards. See: The New York Times > Science > Students Find Hole in Car Security Systems. See also a discussion at Slashdot: Slashdot Mobil SpeedPass, Various Car RFID Car Keys Cracked

Update: The full articled on how it was done is available here:

RFIDAnalysis.org:

"The Texas Instruments DST tag is a cryptographically enabled RFID transponder used in several wide-scale systems including vehicle imobilizers and the ExxonMobil SpeedPass system. This page serves as an overview of our successful attacks on DST enabled systems. A preliminary version of the full academic paper describing our attacks in detail is also available below. "

Saturday, January 29, 2005

Presentation to Meeting Professionals International

On January 13, 2005, I led a roundtable discussion on privacy laws for the Ottawa chapter of Meeting Professionals International. The focus was on how those in the event planning industry should approach privacy laws. The event itself had a very interesting format: there were more than a dozen tables going at the same time, each on a different topic. Attendees signed up for their preferred choice when they arrived. Infolink, one of the sponsors, prepared a precis of each roundtable, including mine, which is available here.

As one would expect, the meeting was amazingly well planned....

Busted by his loyalty card

The discussion in Slashdot referred to in my previous post (PIPEDA and Canadian Privacy Law: Loyalty card almost leads to wrongful conviction for arson) led me to the following story:

A magistrate in the UK was investigated for theft of a watch that he "found" in a Tesco store. When he brought it in to be serviced, the jeweller looked up the serial number and found it was reported "lost or stolen". The magistrate said he bought it at a bric-a-brac store, but his loyalty card gave him away: it showed he had been at the Tesco store within two hours of the rightful owner, who lost it there.

Telegraph News Magistrate fined for keeping lost Rolex:

"...Inquiries with Tesco, through its Club Card loyalty scheme records, and receipts of purchases showed Rowlett had been in the shop within two hours of Mrs Scott...."

Loyalty card almost leads to wrongful conviction for arson

The records of a man's purchases compiled by a supermarket loyalty program almost led to his wrongful conviction on arson charges in Washington state. A veteran firefighter was suspected of the crime and his Safeway Club Card revealed a purchase of the store-brand firestarter. He was arrested in October and what would have appeared to be a slam-dunk prosecution had to be abandoned when someone else came forward and took responsibility.

The personal information collected through loyalty programs and other means are a double-edged sword. On one hand, purchase records can provide an alibi that the suspect, for example, was in a different location. On the other hand, otherwise innocuous purchases that are recorded can be interpreted to incriminate someone, perhaps inappropriately. There is also a big risk that too much weight will be put on this evidence, when there is no confirmation of who actually used the card.

Slashdot | Safeway Club Card Leads to Bogus Arson Arrest:

"Posted by michael on Saturday January 29, @06:03AM

from the if-you're-innocent-you-have-nothing-to-fear dept.

Richard M. Smith writes "Tukwila, Washington firefighter, Philip Scott Lyons found out the hard way that supermarket loyalty cards come with a huge price. Lyons was arrested last August and charged with attempted arson. Police alleged at the time that Lyons tried to set fire to his own house while his wife and children were inside. According to KOMO-TV and the Seattle Times, a major piece of evidence used against Lyons in his arrest was the record of his supermarket purchases that he made with his Safeway Club Card. Police investigators had discovered that his Club Card was used to buy fire starters of the same type used in the arson attempt. For Lyons, the story did have a happy ending. All charges were dropped against him in January 2005 because another person stepped forward saying he or she set the fire and not Lyons...."

Friday, January 28, 2005

A living room is not a public place, says Supreme Court of Canada

The Supreme Court of Canada released its decision in R. v. Clark yesterday. The Court reversed lower court decisions that held that a living room may be a "public place" for the purposes of the Criminal Code of Canada.

The question arose in a prosecution of a person who was observed masturbating in his living room through an open window. The lower court convicted him under section s. 173(1)(a) of the Criminal Code, concluding that the accused had made his living room a "public place." The Supreme Court of Canada disagreed, noting that Parliament is free to change to law to refer to a place in public view.

Here's the headnote:

Daryl Milland Clark Appellant

v.

Her Majesty The Queen Respondent

and

Attorney General of Ontario Intervener

Indexed as: R. v. Clark

Neutral citation: 2005 SCC 2.

File No.: 29976.
2004: November 2; 2005: January 27.

Present: McLachlin C.J. and Major, Bastarache, Binnie, LeBel, Deschamps, Fish, Abella and Charron JJ.

ON APPEAL FROM THE COURT OF APPEAL FOR BRITISH COLUMBIA

Criminal law -- Disorderly conduct -- Indecent Acts -- Criminal Code prohibits wilfully doing an indecent act in a public place -- Whether masturbating in illuminated room before an uncovered window while unknowingly being observed by neighbours is an indecent act in a public place -- Whether living room "a public place" within meaning of ss. 150 and 173(1)(a) of Criminal Code -- Meaning of word "access" in definition of "public place" in s. 150 of the Criminal Code.

The accused was observed masturbating near the uncovered window of his illuminated living room by neighbours from the privacy of their darkened bedroom, across contiguous back yards, from a distance of 90 to 150 feet. The police were summoned. They observed the accused from "just below the navel up" from the neighbour's bedroom and "from about maybe the neck or the shoulders up" from street level. The accused was charged under ss. 173(1)(a) and 173(1)(b) of the Criminal Code. Section 173(1) makes it an offence to wilfully do an indecent act (a) "in a public place in the presence of one or more persons", or (b) "in any place, with intent thereby to insult or offend any person". The trial judge convicted the accused under s. 173(1)(a) after finding he had converted his living room into "a public place" but acquitted him under s. 173(1)(b) after finding that it did not appear the accused knew he was being watched or intended to insult or offend any person. The Supreme Court of British Columbia and the Court of Appeal upheld the conviction. The Court of Appeal concluded that the accused had "intentionally conducted himself in an indecent way, seeking to draw attention of others".

Held: The appeal should be allowed. The accused's conviction is vacated and an acquittal entered.

The facts as found by the trial judge do not support the accused's conviction. The accused's act was not committed in "a public place" within the meaning of ss. 150 and 173(1)(a) of the Criminal Code. A "public place" is defined in s. 150 as "any place to which the public have access as of right or by invitation, express or implied". "Access" means "the right or opportunity to reach or use or visit" and not the ability of those who are neither entitled nor invited to enter a place to see or hear from the outside, through uncovered windows or open doors, what is transpiring within. Interpreting "public place" as contemplating physical as opposed to visual access renders the whole of s. 173(1) more coherent and is consistent with Parliament's legislative distinction in the Criminal Code between conduct that is criminal because it occurs in a public place and conduct that is criminal because it is exposed to public view or open to public view.

The Court of Appeal erred by departing from the trial judge's appreciation of the evidence in the absence of a finding that he had committed a palpable and overriding error. It also erred in finding that the conviction is supported by case law that expands the meaning of "a public place" to include the place where the witnesses to an indecent act are physically situated. Even if correctly decided, this case law does not support the conviction since the accused's act did not occur in a public place within the expanded meaning. Although the definition of "endroit public" in the French version of s. 150 contains no equivalent of the word "includes" found in the definition of "public place" in the English version, there is no need to choose between versions because both contemplate physical as opposed to visual access."

Most identity theft occurs offline

Reuters and others are reporting on statistics released by American regulators that suggest the vast majority of ID theft occurs offline, through dumpster diving and old fashioned wallet theft: More identity theft offline than online. For other sources, see Google Search: "identity theft" offline.

OPC announces recipients of special research funding

Last year, the Office of the Privacy Commissioner invited proposals for privacy-related research grants. Yesterday, it announced the recipients of funding:

PRIVACY COMMISSIONER AWARDS $371,590 TO NON-PROFIT ORGANIZATIONS FOR RESEARCH INTO THE PRIVACY IMPACT OF EMERGING TECHNOLOGIES:

"Ottawa, January 27, 2005 -- The Privacy Commissioner of Canada, Jennifer Stoddart, is pleased to announce the awarding of $371,590, under the Office of the Privacy Commissioner of Canada's (OPC) Contributions Program, launched in June 2004, to support non-profit organizations, including universities, advocacy organizations and trade associations in conducting research into the privacy impact of emerging technologies.

'Canadians are becoming increasingly aware of privacy threats in an age of global and inter-organizational transmission of personal information. This is the first time the Office of the OPC has launched a program to enhance knowledge in addressing those concerns, by building strong links between the research community and privacy rights practitioners in Canada,' said Ms. Stoddart.

The Office was so impressed by the quality of the submissions that an additional $171,590, over and above the original $200,000 allotted, was allocated to the program to support the development of expertise in key areas of privacy and data protection, and to foster an understanding of the social value of privacy and the Personal Information Protection and Electronic Documents Act (PIPEDA) in addressing emerging issues...."

Thursday, January 27, 2005

E-mailing sensitive personal information after collecting it securely

Risks Digest is a great source of information about the everyday risks the we face. Often, it carries examples of privacy risks. The latest issue contains a submission about an insecure practice that ... though sensitve personal information is collected securely using web-browser encryption, the information then treated pretty causally.

The Risks Digest Volume 23: Issue 68:

"HTTPS .ne. secure

Fri, 21 Jan 2005 7:25:35 -0500

I recently filed a change of address for some Qwest stock I own. Qwest uses The Bank of New York (www.stockbny.com) to manage stock accounts, so I went to their web page, and filled out the form using name, address, SSN, and account number. Checked for the padlock indicating HTTPS, and convinced there was *some* degree of due diligence, submitted the form. The confirmation screen starred out all but the last four digits of the SSN (i.e., ***-**-9999), which seemed reasonable.

Last night I got back an e-mail that they couldn't process my change request (the reason is unimportant), and included in the text of the message my name, e-mail address, account number, and SSN. No stars this time to shield sensitive information. Seems like a pretty useful e-mail to intercept!

What kind of security policies allow including this sort of information? The security & privacy policies don't say anything about safeguarding customer information.

If anyone has a privacy/security contact at Bank of New York, I'd certainly be interested in talking to them!

(This is certainly not a new type of problem; see RISKS 21.83 for another example I wrote about 3 years ago.)"

Bush Pushes Computerized Medical Records

One of the next big initiatives of the Bush administration, according to the Guardian, will be electronic health records. Privacy, of course, will be one of the big issues to be dealt with:

Guardian Unlimited | World Latest | Bush Pushes Computerized Medical Records:

"...Brailer acknowledged great challenges to implementing a system available nationwide. All medical workers will need to have compatible technology, and converting records to such a system can be a costly hassle. Privacy and security must be ensured so that only those with patient consent have access to the records, he said.

Bush said he is sensitive to privacy concerns. ``I presume I'm like most Americans. I think my medical records to be private. I don't want people looking at them, I don't want people, you know, opening them up unless I say it's fine for you to do so,'' he said.

Brailer said the government needs to develop incentives to get doctors online. The government has already awarded grants to encourage the transition...."

It is very easy to say that access should only be provided if the patient consents. The reality of the healthcare system is that the information has the greatest value to the patient when the patient is unable to conset.

Rumours about spy chips in cash

The following link was sent by a regular correspondent ...

Bearing in mind that rumours are rumours, this one is rather interesting and perhaps chilling:

New rumours about spy chips in Euro notes | EDRI: "

There is a renewed rumour that the European Central Bank is going to add spy chips (RFIDs) to Euro banknotes. 'Czerwensky intern', a German newsletter providing bank and insurance background reports, says the ECB might have already signed contracts with Hitachi, and is ready to introduce the spy-notes this year. Allegedly, the contract requires such a high volume of RFIDs that Hitachi can't deliver all chips itself, but has to rely on subcontractors.

Earlier rumours (dating back to 2001) about plans to track and trace all Euro notes with the help of RFIDs were strongly denied by the ECB. On 4 June 2003 EDRI-gram reported about a press release from Hitachi announcing negotiations about the contract to Japanese investors. The RFIDs in euro banknotes could help against counterfeiting and make it possible to detect money hidden in suitcases at airports. But the technology would also enable a mugger to check if a victim has given all of his money. If RFIDs are embedded in banknotes, governments and law enforcement agencies can literally 'follow the money' in every transaction. The anonymity that cash affords in consumer transactions would be eliminated.

According to the biannual report from the ECB on the counterfeiting of the euro, released on 13 January 2005, the amount of counterfeited euro banknotes is still very low. It has risen 8% compared to 2003, "but the recent trend has been downwards."..."

Opinion: It's no secret that privacy laws can be bad for our health

Unfortunately, I am having a crazy day so I don't have a chance to comment on this opinion piece that appeared in the Globe and Mail:

The Globe and Mail: It's no secret that privacy laws can be bad for our health:

"The advent of electronic health records, combined with the creation of huge databases, and the increasing commercialization of medicine has sparked widespread concern about the privacy of medical information.

As a result, governments, health-care institutions, consumers groups and private corporations have fashioned laws and rules to protect the privacy of individuals. These initiatives are, for the most part, long overdue. They confirm and extend the long-standing legal principle of doctor-patient confidentiality."

Wednesday, January 26, 2005

Interesting student perspectives on privacy

After reading Despite High-Tech Snoops, We're In A Golden Age Of Privacy, the author of Household Chemical asked his students about privacy. The results were interesting:
Household Chemicals: A Private Life:

"...I am currently teaching a media studies class and asked my students their opinions on this topic. It became very apparent that their personal privacy is very dear to them. Confirming Geewax, almost all of them had private bedrooms while growing up, and a fair number had private bathrooms. Thus, when probed about their notion of what is personal, they seemed to suggest that personal means anything having to do with bodies and bodily functions, which is to say there is a private body and a public body and never the twain shall meet. On the other hand, data is abstract, disembodied as it were. In this mindset there is really nothing at stake in those traces of data we leave practically everywhere in our electronic lives - they do not impinge on our embodied identities. The data are not us, or at least until the credit card bill arrives.

At first glance, such an outlook may seem dangerously naive, especially in the age of identity theft. However, I wonder if the perceived necessity for physical privacy is symptomatic of a much more profound desire for a stable identity, taken from us precisely because we cannot help but to propagate ourselves in bits and pieces, as data-traces, in our electronic transactions?

At first glance, such an outlook may seem dangerously naive, especially in the age of identity theft. However, I wonder if the perceived necessity for physical privacy is symptomatic of a much more profound desire for a stable identity, taken from us precisely because we cannot help but to propagate ourselves in bits and pieces, as data-traces, in our electronic transactions?"

Tuesday, January 25, 2005

Access requests and civil litigation discovery are two different things ...

The Office of the Privacy Commissioner has recently (24 January 2005) released a finding based on a complaint brought by a former employee who sought access to his personal information. The complainant was already suing his former employer related to his employment.

The case raises a number of interesting issues: you can only charge a token amount ($1500 is not a token amount) to provide access to personal information and discovery rights under concurrent litigation do not oust the right of access under PIPEDA:

Commissioner's Findings - PIPEDA Case Summary #285: Company refuses former employee's request for access - December 21, 2004 - Privacy Commissioner of Canada:

"Finally, the Assistant Commissioner commented on the two issues raised by the respondent during the investigation. With respect to the view that the complaint was an attempt to circumvent the disclosure and production rules under the Rules of Civil Procedure, the Assistant Commissioner noted that the scope of discovery is different from the scope of an access to personal information request under the Act. Discovery requires each party to a proceeding to disclose before trial all of the facts and information that it is aware of and that are relevant to the issues in the lawsuit. The Act grants a right of access to all personal information about an individual held by an organization, subject to certain exceptions, whether relevant or not. The Assistant Commissioner maintained that documents received through discovery cannot be considered sufficient to meet the requirements of an access request under the Act.

Regarding the company's concerns about providing minutes from board meetings to the complainant, the Assistant Commissioner reminded the organization that the Act provides for exceptions to the right of access to one's personal information, which are outlined in section 9, noting in particular the provision regarding confidential commercial information.

She recommended that the company examine its records and provide the complainant with access to all of his personal information collected, used or disclosed during the time period requested, subject to any exceptions.

The Assistant Commissioner noted that she remained skeptical that no single member of the board of directors took notes during the meetings when the decision to terminate the complainant's employment and his ensuing lawsuit were discussed. She recommended that the company confirm with all staff members and directors that no notes, e-mails or other material collected and retained contained the complainant's personal information. The Assistant Commissioner asked that the company report back to her to confirm what actions it had taken in response to the complainant's allegations."

MedicalPost.com: OPED: A reminder of responsibilities on safeguarding health info

Today's edition of the Medical Post contains an OP-ED piece by Ken Pole, reminding physicians of their obligations under new privacy laws:
MedicalPost.com: OPED: A reminder of responsibilities on safeguarding health info:

"...Then there's the fact that if health-care consumers have a grievance about improper use of personal information, it's up to them to initiate legal action. There's nothing in PIPEDA that provides for penalties or damages, and since it is Federal Court of Canada jurisdiction, up-front legal costs quickly become horrendous.

I'm not a fan of litigation but sometimes it's unavoidable, even necessary, to make an example. If a physician or institution breaks the law, the only current punishment is public embarrassment. Perhaps a substantial fine, including damages to the complainant, would wake everyone up.

So, if you still needed it, consider yourself rapped between the ears. And now that you're paying attention, check out the Privacy Commissioner's Web site for a general guide at http://privcom.gc.ca/ information/guide_e.asp as well as information developed specifically for the health sector."

Personally, I'd recommend the Physician's Privacy Manual, which I wrote and that can be purchased from National Privacy Services at 1-877-PRIVLAW.

China introduces privacy law

The China People's Daily is reporting that China is introducing a privacy law. I am reproducing the article in its entirety, since I had some trouble brining it up at all ...

People's Daily Online -- China to legislate for protection of personal information:

"The expert-suggested draft for the "Law for personal information protection of the People's Republic of China" has been brought out the other day.

As entrusted by the Information Office of the State Council the legislation was drafted by the subject group of some experts from the legal research institute of the Chinese Academy of Social Sciences.

Zhou Hanhua, chief of the subject-group and researcher of the Legal Research Institute of the CASS accepted the interview by the reporter the other day.

Leakage of information incurs big trouble: Just bought a house and gave birth to child business-dealers coming one after another.

"I have a feeling that my personal information is almost known to everybody without any privacy of my own as though I were a 'transparent figure'," said Mr. Xu with emotion recently, who's engaged in IT business. "I wanted to find a job a few months ago without sending out many personal resumes but numerous companies phoned me. I have just bought a new apartment and so far haven't got the key yet many building material dealers and household-moving companies phoned to ask me whether I like to buy sticks of furniture or any building materials. Last year when my wife just gave birth to a child I received a lot of advertisements about articles for babe's use to my home."

"In Chinese tradition personal rights are normally neglected and so the frequent happening of personal information being maliciously infringed." Zhou Hanhua, researcher of the Legal Institute of the CASS said, some schools to prevent from cheat in examination, or to strengthen internal administration installed close-circuit TV equipment for monitoring and so every action and behavior of students were under control. Some places collected more than 100 pieces of personal information when making various kinds of cards for social insurances or other e-cards. This harbors a great danger for abusive use of personal information.

To deal with the problems entailed from the emergence of an informationization society it is required by the Information Office of the State Council that the State Informationization Legislation be hastened. Starting to work on it from 2003, Zhou Hanhua said, the draft of the "Law for Personal Information Protection" as suggested by the expert group has now been completed and will soon be put on the agenda for legislation.

Cellular phone-number, home address, medical files and occupation information are all on the list for protection.

When mentioning the protection of personal information people will at once think of the protection of personal privacy said Zhou Hanhua. "What the 'Law for personal information protection' protects is not only the personal privacy of a citizen but rather a wider scope than the personal privacy, for instance: your cellular phone-number, home address, your medical files, and your occupation and something else. These may not fall into the category of personal privacy but are under the protection of the 'Law for Personal Information Protection'. And if you've delivered your resume to an employer's company it is liable for the company to keep the information for you. Should the other party make your personal information known to others it is considered to have violated the law no matter whether it is intentional or unintentional."

In addition, as to whether an image pick-up should be installed in a public place at will and how to define the behavior for a secret pick-up or recording, the law has laid down a stipulation about it.

For information protection attention better be paid in advance to regulate it from the very sources

The "Law for personal information protection" has to protect personal rights on the one hand Zhou Hanhua is of opinion, and on the other it must not obstruct the normal circulation of information. And for one thing it must offer full protection to the personal information and for another it has to take into consideration the necessary social governance and supervision.

The way for the victim to protect ones personal privacy in the past can more often than not be done by way of a lawsuit when the violation happens by demanding the violator to compensate, said Zhou Hanhua. Now the protection of personal information includes not only the protection after the event but also the interference beforehand, i.e. to regulate the behavior from the very head. For instance, some schools want to install video-pick-ups it should be done when being examined and approved.

Possible to incur criminal liability if violating personal information

According to the law at present, the violation of personal reputation can only be subjected to the liability in accordance with the civil law, Zhou Hanhua said. Once the "Law for personal information protection" is officially brought into force the violation of personal information may not only have to take up administrative and civil responsibilities or even criminal liabilities.

In alien countries the happening of violating personal information is liable to be sentenced to 2 to 3 years of imprisonment if it constitutes a crime, Zhou Hanhua said. How to take up the criminal responsibility in China must be referred to certain particular requirements in the criminal law. And the overseas practices may be taken over for our references.

By People's Daily Online"

Monday, January 24, 2005

Electronic health records: safety, efficiency and privacy

Business Week is carrying an article on the movement toward electronic health records in the United States, including a discussion of some of the privacy issues raised by them.

Between You, The Doctor, And The PC:

"...

HOW PRIVATE?

A move to electronic records could make a patient's medical files accessible anywhere in the world. Proponents point to reduced costs and increased patient safety. Meanwhile, privacy advocates raise questions about security. Of major concern is that there not be a central, national repository of patient information, but rather a network of records maintained by individual providers and health systems. 'I don't think a national database would fly in this country,' says Beth Givens, director of the Privacy Rights Clearinghouse, a nonprofit that focuses on such issues. She says such a system would be vulnerable to insider abuse and could become a target for hackers."

Thanks to PrivacySpot for the link: BusinessWeek Examines Issue of Online Medical Records | PrivacySpot.com - Privacy Law and Data Protection

Some thoughts on the Better Business Bureau's rules for collecting customer information

My previous blog posting, PIPEDA and Canadian Privacy Law: Privacy Imperatives for Customer Data: Interview with Jordana Beebe, refers to the Better Business Bureau's new rules for personal privacy.

The BBB's basic rules are:

  • If you do not need it, do not collect it.
  • If you need it once, do not save it longer.
  • If you got it, but you do not need to save it, dispose of it carefully.
  • If you have to keep it, think security.
  • Do not broadcast personal information.
  • Do not use Social Security numbers as account numbers.
  • Do not give out employee or customer information to anyone whose identity cannot be positively confirmed.
  • Locks and alarms are a real deterrent.

From a consumer point of view, they seem to be a step in the right direction. They differ significantly from the Canadian Standards Association Model Code for the Protection of Persoal Information, which is the benchmark in Canada (and is now mandatory under the Personal Information Protection and Electronic Documents Act). The BBB rules appear to be entirely focused on reducing the risk of identity theft, rather than respecting a customer's right to informational self determination. There is no mention of letting customers know how you propose to use the information, nor is there any element of choice for the consumer. Both of these are fundamental to the CSA Model Code. Though the code has its share of critics, but it is reasonably balanced and probably the best one out there.

Privacy Imperatives for Customer Data: Interview with Jordana Beebe

Business Week magazine is running an interview with Jordana Beebe of the Privacy Rights Clearinghouse about the Better Business Bureau's Basic Rules for Businesses on Protecting Personal Information . Privacy Imperatives for Customer Data:

"Smart Answers columnist Karen E. Klein recently spoke with Jordana Beebe, communications director of San Diego-based Privacy Rights Clearinghouse, a nonprofit consumer advocacy organization, about identity theft, a new set of business privacy guidelines released by the Better Business Bureau, and how both companies and consumers can protect themselves as more and more information goes digital. Edited excerpts of their conversation follow..."

Sunday, January 23, 2005

Driver's licenses as national IDs?

The Christian Science Monitor is carrying an article on the current debate swirling around over the move to set standards for issuing drivers licenses in the US, all in the name of security. Many are concerned this is the first step toward a de facto national ID card:

A driver's license as national ID? | csmonitor.com:

"...What several analysts question is why this standardizing IDs makes us more secure?

'How does identification really relate to security?' asks Daniel Solove, a law professor at George Washington University and author of 'The Digital Person: Technology and Privacy in the Information Age.' 'People just assume it [improves security] as if it was a fundamental truth.'

The new law focuses heavily on how a license is obtained, systematizing the list of documents needed to apply and how to verify them. In some states, like New York, it's a long list."

The Commissioner is on the case of leaked lawyer's personal information

From a report in the Edmonton Sun, it appears that the Federal Privacy Commissioner is -- personally -- investigating how an imprisoned criminal in the United States obtained very personal information about an Edmonton lawyer:

Privacy boss to probe how con got confidential info:

"The federal privacy commissioner is coming to Edmonton to probe RCMP records in an effort to determine how a city lawyer's personal information ended up in the U.S. jail cell of a convicted skinhead. But criminal defence lawyer Tom Engel has also come up with some of his own theories about how his personal information - and that of his partner, their wives and four legal assistants - got into the jail cell of skinhead Daniel Sims. "

I'd be very surpised if Jennifer Stoddart is putting on her trenchcoat and digging out her magnifying glass to investigate this personally, but that's what it sounds like.

(For some background on the story of Tom Engel's personal information disclosure, see: PIPEDA and Canadian Privacy Law: Authorities give US prisoner detailed personal information on Albertans)

Saturday, January 22, 2005

Update on weird questions at airport checkin

There has been a lot of buzz about Cory Doctorow's experience checking in for a transatlantic flight with American Airlines. (See PIPEDA and Canadian Privacy Law: Weird personal questions reported on checkin with airline.) The author of Secondary Screeining contacted the airline and actually received a prompt reply, which is posted in his site:

Secondary Screening: Cory Doctorow and Secondary 'Secondary Screening' Classes:

"After reviewing our documentation on Mr. Doctorow's experience in London, it is evident that both our contracted security screener and Mr. Doctorow contributed to what is not a representative example of our security screening process.

Mr. Doctorow exhibited specific behaviors and cues before and during our initial security screening that caused our screener to initiate a secondary screening process. We will not publicize those behaviors because to do so might hamper the effectiveness of the screening process in the future.

That said, our contracted screener veered from standard procedure when she asked for Mr. Doctorow to write the addresses of his destinations in the United States. She did clearly state that once the interview was completed, the address list would be destroyed in front of Mr. Doctorow or that he could have the list to keep. American Airlines absolutely does not register or record that type of personal data.

Although the agent concerned is very promising, this incident clearly showed a lack of experience in the questioning process. The agent will go through additional training and supervision. Through daily briefings, the remainder of the station will benefit from the experience gained from this incident.

American Airlines is entirely serious about the security procedures we undertake to help ensure the safety of our passengers and crews. We expect that our passengers apply the same serious consideration when they encounter our procedures. The vast majority of airline travelers appreciate the increased security and have adapted to a new reality in air travel. That is not, however, an excuse for security measures to be applied unevenly, and to reiterate, we do not keep personal information gathered during screening processes.

We appreciate that Mr. Doctorow called our attention to the mistakes that were made because it helps us rectify the situation going forward. He will also receive a personal response to the letter he sent to our Customer Relations department.

Tim Wagner
American Airlines Spokesman"

Incident: Identity Theft Concerns Over UNC Lost Hard Drive

I am no longer suprised when I hear about huge security breaches involving personal information at universities. Now, students and staff at the University of North Carolina are the victims of a lost computer hard drive containing very sensitive personal information:

PRESS RELEASE: Identity Theft Concerns Over UNC Lost Hard Drive:

"More than 15,500 students and staff at the University of Northern Colorado (UNC) may be in jeopardy of identity theft after a university computer hard drive containing confidential personal and financial information was announced to be missing by UNC President Kay Norton on Thursday, Jan.20. As reported by Mike Peters of the Greeley Tribune, the external hard drive contained names, addresses, Social Security numbers, bank account numbers, dates of birth and pay schedules for students and staff dating back to April 1997...."

Incident: Harvard Hacked

The Harvard Crimson is reporting on a security breach at Harvard University that allowed access to student numbers and student drug prescriptions:Drug Records, Confidential Data Vulnerable: Harvard ID numbers, PharmaCare loophole provide wide-ranging access to private data.

See also coverage in the Boston Globe:

Boston.com / News / Local / Mass. / Harvard fixing data security breaches:

"...Harvard shut down access to a software tool widely used by faculty to survey students, after student reporters from The Harvard Crimson demonstrated how it could be misused to obtain any student or employee's Harvard identification number. The eight-digit ID numbers, printed on identification cards, are widely used by students, staff, and faculty to conduct business on campus.

In a more disturbing security problem, the Crimson reported that by using student birth dates and ID numbers obtained from the polling site, its staff members were able to misuse a website run by an outside health care firm, Rhode Island-based PharmaCare, to get access to lists of prescription drugs bought by Harvard students. At the university's request, access to that website for Harvard community members has now been blocked by the company...."

How do employees feel about workplace privacy?

Michael Fitzgibbon at the Management Uppdates: Toronto Labour Relations and Employment Lawyer, has a summary and a review of the findings of the 2005 Workplace Privacy Survey that's definitely worth taking a look at:

Toronto Labour Relations and Employment Lawyer: Michael Fitzgibbon:

"How Do Employees Feel About Monitoring and Privacy?

There are a couple of articles on the 2005 Workplace Privacy survey commissioned by the Society for Human Resource Management and CareerJournal.com (see:Survey Suggests Employees Doubt Workplace-Monitoring Motives and You May Have Less Privacy At Work Than You Think)....."

Friday, January 21, 2005

RBC Financial Group names Jeff Green as chief privacy officer

This is the first time I've seen a Canadian company issue a press release to announce the appointment of a CPO. Good to do, in my view.

RBC Financial Group names Jeff Green as chief privacy officer:

"TORONTO, Jan. 20 /CNW/ - RBC Financial Group today announced the appointment of Jeff Green as chief privacy officer. In this capacity, Mr. Green is responsible for overseeing the implementation of policies and practices for the management of privacy on an enterprise-wide basis...."

Thursday, January 20, 2005

Commissioner finds Custodian disclosed health information for purposes of a court proceeding in accordance with the Act

The Information and Privacy Commissioner of Alberta has just released a significant decision about the ability of physicians to release personal health information to the Canadian Medical Protective Association, the mutual defence organization that includes 95% of Canadian physicians. In the decision, the Commissioner concluded that a physician is able to disclose personal health information without consent (and even over the objections of the patient) to the CMPA, even if the disclosing physician is not a party to the lawsuit.

I expect this will be a bit controvertial ...

From the Commissioner's press release:

Commissioner finds Custodian disclosed health information for purposes of a court proceeding in accordance with the Act:

"January 20, 2005

Commissioner finds Custodian disclosed health information for purposes of a court proceeding in accordance with the Act

The Complainant said that Dr. Murji ('the Custodian') disclosed his health information to the Canadian Medical Protective Association ('CMPA') in contravention of the Health Information Act. The Complainant had brought a medical malpractice action against three physicians but not against the Custodian who was the complainant's treating physician. The CMPA, which is a defence organization or quasi-insurer for physicians, was representing the three defendant physicians. In an interview with legal counsel for the CMPA, the Custodian disclosed information about the Complainant's medical treatment. The Complainant had expressly objected to the interview.

The Commissioner found that section 3(a), which says the Act does not limit information otherwise available by law to a party to legal proceedings, allows the Act and the common law to co-exist and did not remove this disclosure from the scope of the Act. He found the Custodian disclosed the health information in accordance with section 35(1)(h) of the Act as the information was disclosed for the purpose of a court proceeding. Section 58(2) of the Act did not apply as the only issue was whether the Custodian could grant the interview, not the amount of information disclosed during the interview. The Commissioner also found that the Custodian had properly exercised her discretion to disclose."

Wednesday, January 19, 2005

Weird personal questions reported on checkin with airline

Cory Doctorow, author of the popular website BoingBoing, has a post on his site about a weird experience he had checking in for a flight from the UK to the USA. The airline required him to provide a list of all the folks he'd be staying with in the US. Not content to comply, he refused, questioned their authority to ask this information and, finally, has written an open letter to the airline, which is available here. This is the first I've heard of such questioning.

Boing Boing: Why is American Airlines gathering written dossiers on fliers' friends?

"Last week on a trip from London to the US, American Airlines demanded that I write out a list of the names and addresses of all the friends I would be staying with in the USA. They claimed that this was due to a TSA regulation, but refused to state which regulation required them to gather this information, nor what they would do with it once they'd gathered it. I raised a stink, and was eventually told that I wouldn't have to give them the requested dossier because I was a Platinum AAdvantage Card holder (e.g., because I fly frequently with AA). I have written an open letter to AA asking for details on this -- see the link below for the whole text...."

Computer World tries to answer "What's up with universities?"

After a string of successful penetrations of university computer systems containing personal information, Computer World has an article that tries to answer my question, "what's up with universities":

Hack Exposes Lax Security in Academia - Computerworld:

"....In a survey of 501 colleges and universities conducted last fall by The Chronicle of Higher Education Inc. and Gartner Inc., 41% of the respondents said hackers had succeeded in penetrating their systems. Fifty-three percent reported denial-of-service attacks, and 14% reported unauthorized access to student data.

But there is a growing awareness of the potential cost and risk to reputation associated with lax security, and a better understanding of the broader threat that unsecured university networks can pose, said Rodney Petersen, a policy analyst at Educause, a Washington-based nonprofit association of 1,900 universities.... "

See also PIPEDA and Canadian Privacy Law: What is up with universities?.

Privacy issues delay posting of doctors' profiles

The government of Manitoba originally promised that it would make "report cards" of the province's physicians available online. The project is being delayed due to privacy concerns, reports the Winnipeg Sun:

Winnipeg Sun: NEWS - Privacy issues delay posting of doctors' profiles:

"Manitobans will have to wait until at least the spring to access 'report cards' on their doctors' pasts. The NDP promised more than 2 1/2 years ago to make physician profiles public on the Internet, including records of disciplinary action and malpractice judgments....

He said there are concerns the privacy of doctors will be violated if unfounded complaints are published for all to see...."

Tuesday, January 18, 2005

Incident: More hacking of university computers containing personal information

Here we go again!

Yahoo! News - Hacker Breaches Security Of 2 UCSD Computers:

"A hacker breached the security of two University of California San Diego computers that stored the names and Social Security (news - web sites) numbers of about 3,500 students and alumni of UCSD Extension.

The breach, which left the personal information exposed for as long as a couple of days, is the third such incident at UCSD in the past year, according to The San Diego Union-Tribune.

University officials said there is no evidence of identity theft. An investigation showed the hacker was using the servers to store music and movies, UCSD spokeswoman Dolores Davies told the newspaper.

The breach was discovered in mid-November and those who were affected were mailed notification letters the first week of January, the newspaper reported...."

Incident: More hacking of university computers containing personal information

Here we go again!

Yahoo! News - Hacker Breaches Security Of 2 UCSD Computers:

"A hacker breached the security of two University of California San Diego computers that stored the names and Social Security (news - web sites) numbers of about 3,500 students and alumni of UCSD Extension.

The breach, which left the personal information exposed for as long as a couple of days, is the third such incident at UCSD in the past year, according to The San Diego Union-Tribune.

University officials said there is no evidence of identity theft. An investigation showed the hacker was using the servers to store music and movies, UCSD spokeswoman Dolores Davies told the newspaper.

The breach was discovered in mid-November and those who were affected were mailed notification letters the first week of January, the newspaper reported...."

UK patients can opt-out from electronic health records

I'm aware of a number of government-sponsored electronic health records programs, from Nova Scotia to Alberta and further afield. The one being planned and implemented in the United Kingdom is the first that I know of that will allow individuals to choose to not be included:

Guardian Unlimited | The Guardian | Patients can stay off NHS database:

"NHS patients are to be asked whether they want intimate details of their personal medical history to be included in a new national electronic database that can be accessed by GPs, paramedics and hospital staff throughout England.

Those worried the information could be abused will be entitled to have it removed from the system or placed in an electronic 'sealed envelope', to be opened only in a dire emergency, John Hutton, the health minister, said yesterday.

However, patients restricting access to their records in this way ran the risk of clinical staff making mistakes in an emergency through lack of relevant information about previous medical conditions or allergic reactions. "

Monday, January 17, 2005

'Counselor' appears to have violated privacy laws

The Fort Wayne (IN) News Sentinel contains a letter and a response related to what may be a really reprehensible practice. A woman wrote in that she was "set up" to particpate in marriage counseling, the purposes for which may have been to assemble information to be used against her in a divoce proceeding. She was asked to sign a release, which she likely did not read and which appears to have given permission for the counselor to provide the information to her husband's lawyer. Though I can't imagine that the "release" would stand up to close scrutiny, it reinforces the lesson that people should read what they're signing.

KRT Wire | 01/17/2005 | 'Counselor' appears to have violated privacy laws:

"(KRT) - Q: ...

This "counselor" had both my husband and me sign releases when we came to his office, which I thought was standard procedure, but my husband's lawyer now has all of our records and is nitpicking and choosing information from my files to crucify me. My attorney says that my husband's part of the file is "clean," and that he has never seen a case like this. Had I known that my husband's lawyer picked the counselor to sandbag me, I would have never gone, much less signed a release. What can I do? Or is my goose cooked for being naive?

A: Based on the facts as you describe them, we don't know if it's your goose - or that of your "counselor" - that is cooked. In addition to state laws and ethical considerations that require confidentiality of protected health information, health care providers - including psychologists - are subject to federal confidentiality laws.

As we have referred to tangentially in other columns, the federal medical information privacy law - called HIPAA - applies to all health care providers, including psychologists, who deal with protected health information. This means, in its most simplistic form, that covered entities and individuals are required to keep protected health information confidential - unless they receive a valid release. In addition, "business associates" of these health care providers, including professionals such as accountants, lawyers, etc., are likewise required to maintain the confidentiality of protected health information.

In order to secure a valid HIPAA release, the document must have been signed voluntarily and with "informed consent." Informed consent means that all of your questions should be answered before you sign the document. It's not enough to merely hand you a form and tell you to read it and sign it.

In addition, the release should set forth the purpose and contain withdrawal provisions.

Here, it would appear to us that your lawyer may have an argument that you signed the release under what appears to be fraudulent circumstances. Surely, you would not have consented to see this counselor had you known that he was a friend of your husband's lawyer and that your husband had been seeing a lawyer for a period of time before you were "directed" to this medical professional for purposes other than counseling - that is, to have a professional witness available to corroborate your husband's positions.

Without full disclosure, we don't believe you could have given voluntary consent. And, given your desire to save your marriage, we don't believe that the counselor has lived up to the appropriate standard of care of a "reasonable and prudent" psychologist, or that you or another reasonable patient would have done this had you known the true circumstances. In other words, you appear to have been coerced.

Under these circumstances, we believe you have a good argument that your lawyer needs to raise in order to protect your interests and those of your children."

Saturday, January 15, 2005

Handling customer complaints under PIPEDA

Anybody reading the Canadian media before Christmas couldn't help but notice the huge amount of coverage given to a stream of faxes sent by a number of branches of a particular bank that kept on finding their way to a junkyard in West Virginia. The story took off and other complainants came out of the woodwork. Other banks were also the subject of stories, all related to mishandling of sensitive personal information (PIPEDA and Canadian Privacy Law: Bank faxes saga continues; involves other banks, too). Further examples of misdirected personal information are appearing in the media (see TheStar.com - Customer privacy concerns continue at CIBC). The most obvious thing to learn from these incidents is that people need to be very careful when faxing customer information. Or mailing it. But what is not as obvious is that none of these stories should have ever made it as far as they did. Not only was customer information mishandled, but more importantly (from the bank's point of view), the customers were mishandled.

I've touched on this before (PIPEDA and Canadian Privacy Law: Two magic words, big effects ...), but it bears repeating. Where the banks (and most organizations that end up at the unpleasant end of a privacy complaint) went wrong is the way they acted when their misstep was brought to their attention: (i) they did little to assure their customers, (ii) they did not appreciate the gravity of the situation, and (iii) they did not escalate the issue to the proper level. From what I understand of the faxing fiasco, the faxes went from a wide range of branches to one unintended recipient. Calls to the branches may have elicited a response, but they were not reported to a higher authority who would get a sense of the big picture and realize that there was a problem and it was chronic. Each branch did not know that dozens of other branches were making the same mistake and nobody was tracking the issue. When it comes to privacy breaches, one person in senior management must be apprised of the situation. Only that person will know if it was an one-off incident or whether the screw-up is pervasive. Secondly, employees of organizations need to be resensitised to the importance of the personal information they handle. It may not be important to the company, but that is irrelevant. It is important to the customer, so it must be treated appropriately. I happened upon an example of this at Ottawa airport night before last. Sitting in the restaurant, the woman at the table next to me got up to go. She must have been an airline employee because she left behind a copy of a manifest for a flight from Halifax to Ottawa. Being a nosy sort, I picked it up. I recognized a few names on the list, including a particular superior court judge who would not have been impressed. It told me that the person in seat 23A was 73 years old and needed help to get on and off the plane (why the put her in a window seat at the back of the plane should be the subject of a different sort of complaint). It also listed who ordered kosher meals.

To some, this is sensitive personal information and should not have been left lying around. But I think that people who deal with sensitive personal information all the time become numb to the fact that it really is sensitive and needs to be properly protected. I am sure that all lawyers know of colleagues who can be pretty casual when talking about clients. I've certainly heard some doozies about testimony about intimate matters that was probably humiliating to the person to reveal, but really had no effect on the lawyers since they've seen it all. When the information is routine, you start treating it routinely. I have heard from dozens of managers and business owners who say that they don't have to worry about privacy law because the information they handle isn't "sensitive." Well, in many cases it is, but the company has forgotten that it is sensitive or may be sensitive to their clients. All businesses need to think about information through the eyes of their clients. Even more, they need to think about it through the eyes of their most sensitive, paranoid clients. Personal information is important and must be treated accordingly.

Finally, each customer concern must be treated seriously. Most people don't complain routinely. Some may be chronic complainers, but most are not. If a client takes the time to complain about how their information was handled, they only have done so because it matters to them. If you treat the complaint casually, it can easily get out of control. If they don't get satisfaction from the organization, with the respect and priority they think it deserves, they will take their complaint to the privacy commissioner or, worse yet, to the media. I've read all the published findings on the Commissioner's website. Initially, would sometimes think that some people complain about truly trivial things. I scratched my head at more than a few. Then I began to wonder more and more often how the organization ever let the complaint get to the Office of the Privacy Commissioner in the first place. When a complaint gets that far, particularly about something "trivial", it is most likely because the organization didn't fix the "trivial problem" and let it get out of control. If you fix it as soon as it happens, that's it. No complaint. No problem.

I've dealt with customer concerns on behalf of clients. In almost every case, they are resolved favourably if you take the concern seriously, give it due priority, treat the customer with respect, and ultimately fix their problem.

To give an example, I was involved with a concern/complaint about a consent form that had been prepared for a client. This particular client was in a large industry but was the only location in their city that was visibly tackling the privacy issue. The customer called with some questions and was immediately referred to the privacy officer. Initially, the customer sounded a little indignant. He had read the form and had a problem with one of its provisions. We were satisfied with the correctness of the document, but the customer didn't seem to be amenable to our explanation. Since we were right, we could have told him that and walked away. But that wouldn't have ended the matter, since he knew enough about PIPEDA to make it likely that he'd buy a stamp and complain to the Commissioner. So we figured that if he was asking questions, there were probably a dozen or so customers who had the same question but didn't contact the client. Rather than fight it, we redrafted the form to make it more clear. We even asked the customer for his opinion of the new form and he approved. In the end, rather than have a potential complaint on our hands, the customer actually sang the client's praises around town leading to more business. Not only was a complaint avoided, but we managed to improve the customer's relationship with the client.

Privacy is not just a legal compliance issue. As an increasing portion of customers are concerned with the protection of their personal information and whether they can trust the companies they deal with, privacy is a critical customer relations issue. If you don't appreciate that fact and begin to look at your business through your customers' eyes, you are at much greater risk of having a complaint go to the Privacy Commissioner. That involves expense, a risk of bad publicity and a lost customer.

One further thought: I'm often asked by my clients about who should assume the role of privacy officer for their company. If they are a large company, they often think it should be their in-house counsel. At first blush, this seems sensible since a lawyer has the tools to understand and apply the law. I always say that it depends upon the individual lawyer. Many lawyers reflexively get defensive and switch into denial mode. (Or at least begin denying until they have a chance to investigate.) Because this is a customer service issue as well as a legal issue, the privacy officer needs to be customer-friendly. Not all lawyers have this trait. Automatic denials and switching to "damage control" tend to escalate matters, while empathy, understanding and focusing on a solution for the customer will calm the situation. A lawyer with privacy expertise should always be consulted, because this is a legal, risk-management issue. Few employees have the knowledge of PIPEDA to fully understand the company's obligations and the risk it faces in a particular situation.

FBI Keeping Records on Pre-9/11 Travelers

In the aftermath of the terrorist attacks on September 11, 2001, US federal investigators obtained massive amounts of information on individuals who were airline passengers in the months leading up to the attack. The FBI is keeping those records, according to the Associated Press, with no intention of giving them up. Privacy activists are up in arms over it:

FBI Keeping Records on Pre-9/11 Travelers: "

WASHINGTON (AP) - If you're among the millions of Americans who took airline flights in the months before the Sept. 11, 2001, terrorist attacks, the FBI probably knows about it - and possibly where you stayed, whom you traveled with, what credit card you used and even whether you ordered a kosher meal.

The bureau is keeping 257.5 million records on people who flew on commercial airlines from June through September 2001 in its permanent investigative database, according to information obtained by a privacy group and made available to The Associated Press.

Privacy advocates say they're troubled by the possibility that the FBI could be analyzing personal information about people without their knowledge or permission.

'The FBI collected a vast amount of information about millions of people with no indication that they had done anything unlawful,' said Marcia Hofmann, attorney with the Electronic Privacy Information Center, which learned about the data through a Freedom of Information Act request. 'The fact that they're hanging on to the information is inexcusable,' Hofmann said on Friday...."

US law will require secure disposal of employee info

From USA Today (via beSpacific: beSpacific: Employers Soon to be Required to Shred Employee Documents):

USATODAY.com - Identity theft, new law about to send shredding on a tear:

"You've heard about shredding. You understand that it's probably a good idea to shred any receipts that have your credit card numbers or other personal information on them to stop identity theft.

You may have seen shredders at the office or noticed bulging trash bags of thin paper strips in the dumpster when you're walking the dog past a local business at night.

But now there's a law with a provision going into effect this summer that says if you employ even one person - a nanny, a yard man - and you have their personal information because you're doing the right thing and paying Social Security taxes, you have to 'destroy' the information before you throw it away.

You have to shred it or burn it or pulverize it.

Or you could get sued. Or fined. Or become part of a class-action lawsuit by enraged nannies whose personal information has somehow gotten out.

Bet you didn't know that.

The shredder industry does, and it expects sales to go on a tear.... "

The article is referring to the Fair and Accurate Credit Transactions Act (Bill Summary & Status).

Friday, January 14, 2005

More on the George Mason University hacking incident

The Washington Post has an excellent article on the recent hacking incident at George Mason University and what's unique about the university context. It goes a long way in answering my question, "What is up with universities?" (See: PIPEDA and Canadian Privacy Law: What is up with universities?.)

George Mason Officials Investigate Hacking Incident (washingtonpost.com)

On Tuesday, the university handed over the hacked computer -- a Windows 2000 server -- to the Fairfax County Police Department. The police and the FBI were running forensic tests, looking for electronic clues to the hacker's identity. GMU is only the latest campus to be hit by a hacker. In the past two years, similar attacks occurred at the University of Georgia, the University of Texas at Austin, the University of Missouri at Kansas City, the University of California at San Diego, and the University of California at Berkeley.

University campuses present a particularly inviting security target, experts say, because their systems house large amounts of personal data. But protecting the information is more complex than for a typical business because universities are built to foster collaboration and free exchange of information.

"This meant few policies, few restrictions" on how computer networks were to be accessed and used, said Rodney J. Petersen, security task force coordinator for Educause, which works on information technology issues for about 2,000 higher-education institutions. "But our greatest strength is now a weakness."

Wired foreshadows the privacy fights for 2005

Thanks to PrivacySpot for pointing me to the intersting article in Wired on the upcoming privacy fights of 2005:

Privacy Battles of 2005 | PrivacySpot.com - Privacy Law and Data Protection:

"Wired is running a nice article about the upcoming privacy fights of 2005. President Bush has plans to expand federal powers under the Patriot Act. Whether that involves passing Patriot II or pushing provisions through piecemeal remains to be seen. What is evident, though, is that privacy advocates have cause for concern. Unfortunately, the SAFE Act, which seeks to counteract some of Patriot's more onerous provisions, is languishing in the House and Senate floors. Also on the horizon as battles over national ID cards, DNA databases, states' rights in passing privacy legislation, and the ubiquitous RFID tags. It promises to be an interesting year, as privacy battles escalate because of two factors: increased demands for privacy restrictions due to terrorism, and the rapid elimination of formerly insurmountable technological barriers."

Wednesday, January 12, 2005

Ridge Seeks Fingerprints on Passports

CNN and the Associated Press are reporting that outgoing Homeland Security Secretary is calling for the fingerprinting of all US passport holders. He says that they can "offer assurances" that the use of the fingerprints would be limited. To what? He doesn't say.

Yahoo! News - Ridge Seeks Fingerprints on Passports:

"WASHINGTON - The United States should put the fingerprints of its citizens on passports to enhance global security, outgoing Homeland Security Secretary Tom Ridge said Wednesday in a recommendation risking a privacy fight at home.

Ridge said passports could ideally include biometric finger scans - for all 10 fingers - to help customs officials quickly and accurately identify U.S. travelers. He offered no details on how the plan might deal with privacy concerns or guard against international identity theft.

'If we're going to ask the rest of the world to put fingerprints on their passports, we ought to put our fingerprints on our passports,' Ridge said in a speech at the Center for Strategic and International Studies before heading overseas to talk about security ties with the European Union (news - web sites).

'Now, culturally, historically, there are a lot of reasons that some countries are averse or very reluctant to give people finger scans,' Ridge said. He said that by offering assurances that use would be limited and benefits would be significant, 'we could get the world to move more quickly toward a common international standard.' ..."

Also on CNN: Ridge presses for fingerprints on passports - Jan 12, 2005

Incident(s): Hacker breaches T-Mobile systems, reads US Secret Service email

The Register (via Privacy Digest) is reporting on a staggering breach of security at a US wireless service provider. A hacker apparently had unencumbered access for at least a year to T-Mobile's systems, incuding US Secret Service e-mails, text messages, celebrity phonecam snaps and other sensitive personal information.

Hacker breaches T-Mobile systems, reads US Secret Service email The Register:

"A sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor US Secret Service email, obtain customers' passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities, SecurityFocus has learned.

Twenty-one year-old Nicolas Jacobsen was quietly charged with the intrusions last October, after a Secret Service informant helped investigators link him to sensitive agency documents that were circulating in underground IRC chat rooms. The informant also produced evidence that Jacobsen was behind an offer to provide T-Mobile customers' personal information to identity thieves through an Internet bulletin board, according to court records.

Jacobsen could access information on any of the Bellevue, Washington-based company's 16.3 million customers, including many customers' Social Security numbers and dates of birth, according to government filings in the case. He could also obtain voicemail PINs, and the passwords providing customers with web access to their T-Mobile email accounts. He did not have access to credit card numbers.

...

T-Mobile, which apparently knew of the intrusions by July of last year, has not issued any public warning. Under California's anti-identity theft law "SB1386," the company is obliged to notify any California customers of a security breach in which their personally identifiable information is "reasonably believed to have been" compromised. That notification must be made in "the most expedient time possible and without unreasonable delay," but may be postponed if a law enforcement agency determines that the disclosure would compromise an investigation.

Company spokesman Peter Dobrow said Tuesday that nobody at T-Mobile was available to comment on the matter...."

Read the full article ... it's scary reading.

Update: The Associated Press is now carrying this story: Hacker Breaks Into T-Mobile Network:

"WASHINGTON - A hacker broke into a wireless carrier's network over at least seven months and read e-mails and personal computer files of hundreds of customers, including the Secret Service agent investigating the hacker, the government said Wednesday... "

New standard European clauses for data transfers approved

The European Commission has approved a new set of standard contractual clauses which businesses can use to ensure adequate safeguards when personal data is transferred from the EU to non-EU countries.

Frequenly asked questions are available here, the new clauses are here, and the model privacy contracts page is here.

Thanks to PrivacySpot.com for the pointer.

Tuesday, January 11, 2005

Fallout from the Englander decision

ITBusiness.ca, which is consistently one of the best sources of privacy news in Canada, is reporting on a discussion of the fallout of the Englander decision. (For more info on the case, check out PIPEDA and Canadian Privacy Law: FCA hands privacy victory to the "little guy".)

Michael Geist expressed fears that the Englander decision, in which the Federal Court of Appeal reversed a finding of the federal Privacy Commissioner, may have exposed the Commissioner as toothless. She has no order-making powers and individuals have to pursue a remedy in the courts. Michael's comments are also informed by his recent experience as a success complainant in a ground-breaking spam decision, in which the Assistant Commissioner concluded that his work e-mail address is "personal information", notwithstanding the definition of personal information in the Act. Many of the comments he has received suggest that many think the finding is of little value unless it is taken to the Federal Court for enforcement. (Others, I might add, want it to go to the Court to be reversed.)

Telus case calls role of Privacy Commissioner into question:

"1/11/2005 5:00:00 PM - After an appeals court supports Matthew Englander's right to keep his name out of the phone book, experts are left wondering what power the federal office really has. Also: where PIPEDA fits in

A recent federal court decision to overturn one of the Privacy Commissioner of Canada's first findings under the country's privacy act has raised questions about how well the Commissioner can enforce the law."

From a consumer's point of view, one of the harshest lessons to be learned from Mathew Englander's experience is that going to the Court is not to be taken lightly. He disagreed with the Commissioner's finding, so he took it to the Federal Court. The Court upheld the Commissioner's finding and hit Mathew with $18,000 in costs. He was ultimately vindicated by the Court of Appeal, but the message sent by the Court is loud and clear: only advocacy groups or well-funded consumers should take the risk of going to court. The Commissioner's office can go to court on behalf of a complainant, but they are under huge budgetary constraints and I don't think they'll go to have their own finding reversed.

Customers always willing to trade privacy for services

Privacyspot is linking to a survey that confirms what most privacy-aware folks know. Consumers will trade privacy for services and convenience:

Internet Marketing Survey Finds Consumers Willing to Share Information . . . Sometimes PrivacySpot.com - Privacy Law and Data Protection:

"A survey of 1,799 Internet users in the United States shows that '89% would let a trusted marketer share their personal interests with a third party without permission in order to increase the quality of services and products produced. However, only 20% would let a marketer share information in order to track their buying behavior and project future purchasing decisions.'

In other words, as long as there is an immediate, direct benefit to the consumers, they are willing to allow their information to be shared.... "

Companies Simplify Data Privacy Notices Based On European Recommendations

In November, the Article 29 Working Party on privacy of the European Union recommended a new format for privacy notices that is more concise and focused. (See Opinion on More Harmonised Information Provisions)

According to Computerworld, the new harmonised format is making its way into the privacy policies of major US companies:

Companies Simplify Data Privacy Notices - Computerworld:

"P&G, Microsoft are in forefront of move to make Web site disclosures more user-friendly

News Story by Jaikumar Vijayan

JANUARY 10, 2005 (COMPUTERWORLD) - A European Union initiative to develop standards for shorter and more readable data-privacy notices on Web sites is shining a spotlight on a similar need in the U.S., and large companies such as Microsoft Corp. and The Procter & Gamble Co. are already adopting the condensed format.

On its corporate Web site, P&G has created a 'privacy notice highlights' page that uses a modular format identical to the one approved by an EU panel in late November. The modular approach lets companies provide Web site visitors with capsule descriptions of their privacy policies as the initial step in the disclosure process.

Sandy Hughes, P&G's global privacy executive, said last week that the Cincinnati-based maker of consumer goods set up the new page after a survey of users who visited the Web site showed that 95% of them found shorter data privacy notices helpful.... "

Monday, January 10, 2005

What is up with universities?

Today, I fiind myself asking the question, "what is up with universities?" I'm not just asking this because I am posting from the computer lab at Dalhousie Law School after teaching my class, but because they are leaking personal information like sieves.

Earlier today, I posted about a hacker-caused privacy breach at a university in Kansas. (Click here -- PIPEDA and Canadian Privacy Law: Incident: Kansas Univeristy computer containing personal information hacked -- or scroll down a page or two.) Now CNET is reprting that George Mason University has seen hackers take personal information on more than thirty thousand students. Thirty thousand.

Hackers steal ID info from Virginia university | CNET News.com:

"George Mason University confirmed on Monday that the personal information of more than 30,000 students, faculty and staff had been nabbed by online intruders.

The attackers broke into a server that held details used on campus identity cards, the university said. Joy Hughes, the school's vice president for information technology, said in an internal e-mail sent over the weekend and seen by CNET News.com that 'the server contained the names, photos, Social Security numbers and (campus ID) numbers of all members of the Mason community who have identification cards.'... "

Recording of Bill Good show (CKNW)

On January 4, 2005, I was a guest on the Bill Good show on CKNW Vancouver. It was an open-line show with a quite a few interesting callers with privacy questions. If you missed it live and want to hear it, they were kind enough to send me an MP3 of the show.

Tune in ...

I've been invited to be on the Roy Green Show in Hamilton, Ontario (just briefly, I gather) sometime today between 10:30 and 11:00 (eastern time). If you want to listen via Windows Media, go to http://www.900chml.com/ and click on "listen live".

Consumer advocacy group releases report on PIPEDA

I don't know how I missed this one, but in November, the Public Interest Advocacy Centre released a fifty-five page report by John Lawford entitled Consumer Privacy Under PIPEDA: How Are We Doing?. It's very critical of PIPEDA and its enforcement, and an interesting read as it also reviews (in some detail) a number of the findings that PIAC has been involved in.

WA state hospital association calls for uniform and more relaxed interpretation of HIPAA

The Washington State Hospital Association's Board of Trustees is asking the state's hospitals to adopt a more uniform and relaxed interpretation of HIPAA to ease information sharing with family members:

Patient privacy rules may relax: "The Washington State Hospital Association Board of Trustees passed a resolution last month asking hospitals to adopt a uniform policy allowing family members and friends to find loved ones while still maintaining federal patient privacy laws.

The association issued the recommendation after an advocacy group demanded a better system. Members were frustrated by officials at local hospitals who wouldn't disclose information about their hospitalized loved ones.

'HIPAA is a little unclear,' said Cassie Sauer, spokeswoman for Washington State Hospital Association. 'It was being implemented with great variation across the state. Family members who couldn't get information were freaked out and really mad.'

HIPAA - the Health Insurance Portability and Accountability Act - was passed by Congress to protect patient privacy by preventing hospitals from releasing confidential patient information. It was intended to protect patients from having their records sold to pharmaceutical companies, for example, that might specialize in treating their particular illnesses...."

Incident: Kansas Univeristy computer containing personal information hacked

I'm not sure if university computers are more vulnerable, or if universities are just more forthright about reportiing these incidents. In any event, there seem to be a lot of reports like this one:

LJWorld.com : KU center reports computer hacking:

"For the third time in two years, the FBI is investigating a computer hacking crime on a Kansas University computer containing personal information.

KU began sending out letters this week to those who might have been affected by the security breach, which involved a server at KU's Life Span Institute at Parsons.

'It was kind of shocking to us,' said Susan Roberts, a Lawrence resident whose husband, Harold, received a notification letter Thursday. 'These kinds of things are scary.'

The letter Roberts received said information on the server included the name, address, phone number, date of birth, health status and special needs of those who have accessed services in Parsons...."

You need a social security number for what?

Folks in Galveston County, Texas, are about to challenge a local ordinance that requires residents to supply their social security number to have their garbage picked up.

The Galveston County Daily News: Residents to question city ordinance:

"LA MARQUE - Residents of Omega Bay will voice their concerns today about a La Marque ordinance that requires people to supply their Social Security numbers when applying for utility services, specifically garbage pickup."

Sunday, January 09, 2005

Followup: Google Exposes Web Surveillance Cams

Earlier, I posted about being able to find things on the web that the owners probably thought were hidden. (See: PIPEDA and Canadian Privacy Law: Beware what you put online ... there be google hackers.) Slashdot.org has an interesting discussion on the topic, providing the critical techie perspective.

Slashdot | Google Exposes Web Surveillance Cams:

"Posted by CmdrTaco on Sunday January 09, @10:00AM
from the pick-a-password-people dept.

An anonymous reader writes 'Blogs and message forums buzzed this week with the discovery that a pair of simple Google searches permits access to well over 1,000 unprotected surveillance cameras around the world - apparently without their owners' knowledge.' Apparently many of the cams are even aimable. Oops! "

Privacy and Public Records

Probably, the next big privacy issue to hit Canada will be the availability of public records in electronic form. "Public records" are, by their very nature, open to public view but electronic avaiability means that they are infinitely more available, mineable (if that's a word) and may be connected with other public and private data in an unprecedented way. This is entirely a new issue, particularly in the United States, where companies like ChoicePoint, Abika and Lexis Nexis collect disparate bits of data, assemble them, link them and make them available to marketers, insurers, lenders and government.

In Canada, we've seen some controversy with Abika, following a complaint made against the company to the Canadian Privacy Commissioner. (Which was not pursued by the Commissioner because the company has no presence in Canada. See PIPEDA and Canadian Privacy Law: CIPPIC complaint raises a number of novel and interesting issues, Jurisdictional limitations on Canadian privacy law, CIPPIC v Abika.com: Part deux.)

Under PIPEDA, public records are treated in a peculiar way. You can collect, use and disclose publicly available information without consent as designated in the regulations:

7. (1) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may collect personal information without the knowledge or consent of the individual only if ...
(d) the information is publicly available and is specified by the regulations.

As with so many aspects of PIPEDA, it is never straightforward. The regulations not only designate what is "publicly available", but tell you how you can use it without consent:

Regulations Specifying Publicly Available Information:

"1. The following information and classes of information are specified for the purposes of paragraphs 7(1)(d), (2)(c.1) and (3)(h.1) of the Personal Information Protection and Electronic Documents Act:

(c) personal information that appears in a registry collected under a statutory authority and to which a right of public access is authorized by law, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the registry;

(d) personal information that appears in a record or document of a judicial or quasi-judicial body, that is available to the public, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the record or document; and ..."

So public records can only be used in a manner that is consistent with the puropse for which it is made available in the first place. This means that you have to ask yourself: Why does the registry of deeds exist? Why are court records open? Why are tax assessments available? I'm relatively confident that they are not public records so they can be mined by marketers. Other than that, it's a matter of interpretation.

PIPEDA only applies to commercial activities, however, so there is no restriction on the ability of journalists or your busy-body neighbours to peruse databases. And criminals, who can glean social security numbers from public filings in the US, are not too concerned with the law. So it falls to the governments in question to consider whether it is prudent to put this information online.

On a related note, a quick Google News search turned up a number of interesting articles, starting with this editorial that argues that accident records should continue to be available to keep the government on its toes:

The Sanford Herald: What others say:

"By law and by tradition, government records in North Carolina are open to the public. It is a healthy policy that allows citizens to find out what their government is up to - and to make it accountable to the people it serves.

So it's especially troubling when electronic advances that make it easier for governments to create and maintain records also keep those records out of the public's hands. A prime example is a new software program the state Department of Transportation began using last year that lets law enforcement officers file accident reports directly from their patrol cars instead of filing a paper copy...."

Newsday.com - State/Region News:

"COLUMBIA, S.C. -- Officials in two South Carolina counties have asked a company to stop posting some county government land records online after concerns about the availability of residents' Social Security numbers.

Officials in York and Berkeley counties asked to have some documents removed from the Web site registered to Dallas-based Affiliated Computer Services, Inc...."

Way sought to make court file data honest:

"TALLAHASSEE - A panel helping the Florida Supreme Court figure out how to balance the public's right to access with the right to privacy wants to stop inflammatory documents from getting into court files.

The panel's recommendations are intended to help the state's 67 clerks of court cope with the advent of Internet access to court files and its effect on 'practical obscurity,' the privacy afforded litigants and defendants when court documents pile up in file rooms and warehouses.

Now, paper that once gathered dust can be read, copied, transmitted and analyzed instantly when it enters the court record.

In 2003, the state Supreme Court placed a moratorium on electronic filing of court records until a panel recommends how to protect the public from 'data-miners' - data collection agencies that gather information about individuals. That moratorium came after the Florida Legislature ordered all court records to be put online by 2006...."