Wednesday, May 31, 2006

Update on the Veterans' Affairs breach

Some updated news in the wake of the ginormous data breach at the US Department of Veterans Affairs (for some background, see: The Canadian Privacy Law Blog: Incident: Personal information about 26.5M US veterans on laptop stolen):

World Privacy Law Library

I've used the World Legal Information Institute's website for various projects, but never browsed around to discover the WorldLII - Privacy Law Library. If privacy is your thing, bookmark this the main page of this sub-site now. You can search privacy regulators' decisions from around the world and get your hands on some fantastic publications in very short order. (Thanks to Peter Timmins' Open and Shut for leading me to this great resource.)

What's new in ID theft?

Yesterday's New York Times has a very interesting and wide-ranging article on identity theft, focusing on the growth in this kind of fraud in Arizona. The article illustrates innovative techniques that clever fraudsters have picked up and highlights the connection between meth abuse and ID theft. Finally, it also discusses whether the boom in identity theft is actually caused by how easily financial institutions hand out credit to people whose identities aren't verified. Check it out: Technology and Easy Credit Give Identity Thieves an Edge - New York Times. (Thanks to robhyndman.com for the link.)

For an intersting and contrarian perspective, check out Slate's: The New York Times flips out over "identity theft."

Tuesday, May 30, 2006

European court blocks passenger data sharing deal with US

Andreas Busch, blogging from Oxford, reports that the data sharing arrangement between the US and the EU has been struck down. Read all about it at his great blog ...

Politics of Privacy Blog: Passenger flight data: European court blocks EU data deal with US:

"The European Court of Justice has today anulled the European Council's decision regarding an agreement to provide US authorities with the data of European flight passengers, and the European Commission's decision that this agreement complies with with the European Union's data protection requirements. (More information about the details can be found in the ECJ's press release)...."

E-mail issues causing headaches

This morning, Toby Keeping of IronSentry and I gave a presentation on business and legal risks of e-mail and other electronic information at the Westin in Halifax. The Chronicle Herald is running a story on the topic, based interviews with Toby and me. Check it out: The ChronicleHerald.ca - E-mail issues causing headaches: Firms search for security in electronic age. E-mail me for a copy of the presentation.

Federal Privacy Commissioner releases annual report for 2005

The Federal Privacy Commissioner of Canada has released her Annual Report to Parliament for 2005 (pdf). It is worth a read since it highlights many of the activities of that office that are not reported on elsewhere. It also includes a synopsis of a range of pending applications before the Federal Court of Canada that haven't been referred to elsewhere.

Here is the media release related to the report:

Tabling of Privacy Commissioner of Canada's 2005 Annual Report on the Personal Information Protection and Electronic Documents Act: Commissioner takes tougher stance

Ottawa, May 30, 2006 –There has been progress in advancing the privacy rights of Canadians in the private sector, but the Privacy Commissioner’s Office intends to be more assertive in ensuring that all businesses are complying with the law, according to the Privacy Commissioner of Canada, Jennifer Stoddart, whose 2005 Annual Report on the Personal Information Protection and Electronic Documents Act (PIPEDA) was tabled today in Parliament.

In 2005, the Privacy Commissioner began taking a stronger stance with respect to the recommendations made to organizations in her letters of finding. She began asking organizations that are the subject of well-founded complaints to state the corrective measures they would take – and when these measures would be implemented. In the one situation in which the company did not implement the recommendations, the Commissioner’s Office took the matter forward to the Federal Court. All other organizations have rapidly committed to providing redress and making systemic changes to their personal information management practices.

“Businesses, large and small, have demonstrated goodwill, commitment to community values and openness to change when it comes to protecting privacy,” states Ms. Stoddart in her report. “But I am concerned that apparent compliance does not always result in truly effective privacy and security practice. This goodwill needs to be translated into practice.”

Overall, information handling practices brought to the attention of the Privacy Commissioner’s Office show a high level of compliance with PIPEDA among Canadian companies. And the Commissioner is pleased that a recent trend toward settling complaints is continuing, with almost half of the 400 complaints in 2005 being settled to the apparent satisfaction of all parties.

Another theme of the report relates to technology, consumer trends and national security concerns, which continue to introduce novel uses for personal data and require ever greater amounts of it. It is time to revisit how the operating rules are defined and applied, and how adequate these rules are in a world of such rapid technological change.

Recent polling commissioned by the Privacy Commissioner’s Office suggests that 88 per cent of Canadians feel that it is important that privacy laws are updated to ensure they are keeping up with new technologies that may have an impact on their personal information.

PIPEDA came into effect in stages beginning in 2001, so the Office now has more than five years of experience dealing with the law. It is slated for a full Parliamentary review in 2006, which is expected to commence in the fall. This mandated review is vital and will present a unique opportunity to examine the Act’s effectiveness in protecting privacy rights in the marketplace. It will also give Parliamentarians the chance to help respond to growing attacks on personal information through identity theft, spam and fraudulent on-line activities. The Commissioner is urging the government to consider a similar review of the Privacy Act, the federal public sector privacy law, which has not been substantially amended since its inception in 1983.

As the Commissioner’s Office plans for its participation in this all-important review of PIPEDA, it will also continue to pursue preventive activities such as education, outreach, complaint resolution, as well as audits and reviews. The expectation of additional resources will further assist the Office in fully carrying out this multi-faceted mandate to protect and promote privacy rights.

The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights in Canada.

— 30 —

To view the report: Annual Report to Parliament 2005 — Report on the Personal Information Protection and Electronic Documents Act (Adobe format)

Sunday, May 28, 2006

Incident: Sacred Heart computer security breach affects 135,000

Security breaches at universities are such old news that I've stopped reporting them on this blog. But this one is a bit different. A computer security breach has resulted in the compromise of personal information of 135,000 people at Sacred Heart University in Connecticut. (Yawn.) But what's notable is that many of those affected are not alumni, not staff, not students, not applicants. The university had obtained information on prospective students from dozens of sources, likely without the OK of those individuals. And some of this information was compromised in the breach. Yup. That's a new one. And not a good one.

See: Wtnh.com, Connecticut News and Weather - Sacred Heart computer security breach affects 135,000.

I'd like to thank the academy. And my blog ...

I usually don't write about anything other than privacy law, but I thought I'd make an exception to write a bit about this blog ...

This week I was honoured to be the receipient of the Outstanding Young Canadian Award in the category of Leadership, given by the Junior Chamber of Commerce International, Halifax Chapter. My firm, McInnes Cooper, has made a pretty big deal out of it (Congratulations to David Fraser, our Outstanding Young Canadian!). It was all very flattering and humbling at the same time.

The criteria for the award are:

Leadership: The legal, political, public and governmental sectors have leaders to use their skills to attain goals on a regular basis. They constantly make a difference in their organization and their leadership ability is a key to their success. The nominee for this award has proven leadership abilities.

I fit the "young" part, since I'm between 18 and 40. And it is unusual for a young associate in a large law firm to head a practice group, to develop a niche practice and to have a significant national client base.

I had to give a speech, along with the winners in the other categories, at the gala dinner on Thursday. The organizers suggested something inspiring. Well, I spend a lot of time talking to large groups about privacy law but it was pretty weird to contemplate standing up and talking about myself. But it did make me reflect upon what "got me here". And a significant part of that is this blog.

In building my practice in privacy law, I have spent a lot of time and effort networking, getting know people in the field, doing wider marketing and even making direct pitches to prospective clients, but the one thing that has raised my profile most of all and has resulted in engagements from far-flung clients is this blog. I know from the site's stats that it is read regularly by the Office of the Federal Privacy Commissioner, the provincial privacy commissioners, most major Canadian law firms, the big five Canadian banks, and Canada's equivalent of the Fortune 500.

This blog and its wide readership has led to an invitation to speak at the Canadian Bar Association's annual meeting in Winnipeg in 2004 (The Canadian Privacy Law Blog: Report from the CBA in Winnipeg). Everything I've written for the Canadian Privacy Law Review has started as a posting on this blog. The first times I met each of the British Columbia, Alberta and Ontario privacy commissioners, each of them knew me and commented on my blog. I've given dozens of media interviews for newspapers, radio and TV throughout Canada and into the U.S. on privacy issues and, almost without exception, the reporters and producers found me via the blog. I've also been featured in high-profile articles on Canadian legal bloggers (CBA Magazine: Blogging the spotlight and New Media Marketing, Part I - Blogs: How Lawyers Can Become Thought Leaders in a Niche Market (CBA members-only login)), all thanks to this blog. Also, thanks to this blog, I've met a number of great people from coast to coast, some of whom I've met in the real world and some who I only know through e-mail.

Importantly, all of the above is an unintended consequence. I didn't start out the blog thinking it would raise my profile or would be a good way to meet people. I started it because I wished someone else had put together a "one stop shopping" place for Canadian privacy law and notable news in this area. At the end of 2003, there wasn't such a site to keep privacy lawyers and others up-to-date on this area, so I decided to do it for myself. I was surprised at how easy it was and I was also pleasantly surprised that it didn't take as much time as I thought it would. Everything else has been gravy. Heaps of gravy.

In any event, I'd like to thank my friends, my family, my firm and my blog.

Wednesday, May 24, 2006

Privacy and security may be a competitive advantage

At least Paxx Telecom LLC thinks so. They have just issued a press release advertising that their service lets you thumb your nose at the NSA, et al:

Phone Company, In Response To Concerns About Phone Privacy, Shows Customers How To Tell The NSA To Take A Hike - Yahoo! News

(PRWEB) - Scottsdale, AZ (PRWEB) May 24, 2006 -- The recent revelation first made by USA Today that the National Security Agency (NSA) has been commandeering phone records of tens of millions of ordinary Americans has shocked those who cherish their privacy and do not agree with unnecessary snooping by their government.

It’s hard to know which phone companies are prepared to protect the privacy of telephone records from the NSA’s prying eyes. Certainly many of the nation’s largest phone companies are not, according to USA Today.

With the cooperation of the nations largest phone companies, the NSA has amassed the largest ever database of “call detail” information including who called what number, when and for how long.

Less understood is that while the public is “assured” no personal data is being collected, it’s only a small step required in order to “connect-the-dots”. Revealing the owner of most phone numbers is often as simple as typing the number into Google.

Even a pre-paid calling card purchased for cash is not anonymous. All calls originating from that card are recorded based on their authorization code, and it’s just a few simple steps to identify the caller.

“This is nothing new”, reports Paul Schmidt, CEO of Paxx Telecom LLC. “We reported back in 2002 that the a number of the major phone companies informed their customers that they intended to distribute or sell customers’ private information after a Federal Court gave them blanket permission to do so.”

“At Paxx Telecom, our records are secured offsite and we guarantee never to turn over any records to the government or anyone else without a court order. All our customers need do is dial a short access number in front of the number they want to reach. As a result, the local phone company will show only the connection to Paxx Telecom. It will have no record of the actual number the customer talked to", he said. “In addition, we keep call records on our servers only temporarily to give customers access to verify proper invoicing, after which the calling information will be extinguished.”

Paxx Telecom LLC is a privately owned long distance provider, incorporated in the state of Arizona in 1999. Paxx Telecom offers domestic and international long distance services to residents of the USA and Canada, and it offers International callback services in most countries overseas. Paxx Telecom has agreements to use the network backbones of some of the world’s largest communication providers. For optimal call clarity, Paxx Telecom is using traditional voice-quality networks rather than VOIP or other Internet technology. Additional information about Paxx Telecom services is available at www.PaxxTelecom.com

More information about Paxx Telecom’s secure phone system can be found at www.paxxtelecom.com or by calling 1-800-664-4977.

Tuesday, May 23, 2006

Singapore moving closer to data protection law

Asian economic powerhouse Singapore is about two years away from a data protection law as the country moves through a consultation process toward that objective:

Channelnewsasia.com:

SINGAPORE: A committee that is looking at how to protect private information is expected to submit its report to the government next month.

Experts believe one of the key features of the upcoming data protection law is clamping down on private companies that collect and disseminate personal information freely.

Currently, when a person fills out their personal information on forms or lucky draw coupons, the companies will usually store the information in their databases and disseminate it without the person's knowledge or permission.

The upcoming law will likely make sure that that will not happen.

Experts believe the law may be ready in about 2 years.

"Data collectors would have to get your consent if they're going to use it for direct marketing and if you discover that your particulars are being used by direct marketing by a particular company, you'd have a right to go to the company and demand that they stop doing it. It's the sort of thing I could envisage in the legislation coming," said S Suressh, a partner at Harry Elias Partnership.

Singaporeans are increasingly using the internet to conduct transactions.

So it's timely for the government to study and develop laws to protect personal details.

"As we develop, there're more and more demands for rights and one of the rights is of course the right to privacy. So the government's probably decided that we have reached a certain level of development and that businesses can probably cope with the increased burden and cost of this," said Asst Prof Terence Tan from the Law Faculty at NUS.

The existing laws cover mainly government agencies such as the Inland Revenue Authority of Singapore, requiring they protect your personal information.

But data collection and protection are unregulated among private companies, which will change with the coming of new laws. - CNA /dt

Upcoming Seminar: E-mail, storage and the law

Location: Westin Hotel, Halifax, NS
Start Date: Tuesday, May 30, 2006
Time: 8:00am - 11:30am

With 70% of critical business information contained in email, small and medium sized companies face numerous challenges. Legal concerns including privacy, retention, and accountability are forefront, but improper use, hardware requirements, and the ability to recover old emails are also highly important to today’s business owner.

Join Toby Keeping (IronSentry Inc.) and David Fraser (McInnes Cooper) in an information session as they discuss these and other issues that small and medium sized companies have to address with electronic information.

For more information, or to register, click here.

Contact: Toby Keeping, 902.463.4485 x1401 or tkeeping@ironsentry.com

Monday, May 22, 2006

Australian women fear "stalker" reverse directory

The Privacy Commissioner of Australia is poised to investigate a controvertial "reverse directory" in that country. The site, www.boonghunter.com, provides names, addresses and numbers of residents based on partial information, including just the streets they live on. Women in particular are afraid that it'll make a good tool for stalkers.

The Advertiser: Women fear website puts them in danger [23may06].

By MICHAEL OWEN

23may06

AN unauthorised telephone directory website has alarmed women, who fear it will increase the risk of stalking and endanger women and children seeking refuge from domestic violence.

The website - www.boonghunter.com - also has disturbed Telstra, which yesterday described it as "a gross invasion of privacy".

The website and the source of its information was last night under investigation by federal authorities, including the Australian Communications and Media Authority and the Office of the Federal Privacy Commissioner. Sensis, Telstra's online directory division, said it was "appalled" by the website, which provides "reverse search" access to address and telephone numbers of individuals.

"Unlike the White Pages directory, where you need to know the name of the person you are searching for before you can find their details, reverse searching enables people to search for your private details without knowing who you are," Sensis Corporate Affairs Manager Karina White said.

"For example, you can find out someone's personal details just by knowing the street they live on.

"Whoever is behind this website has no regard for Australians' rights to have their personal contact information handled responsibly and with respect."

Karen Barnes, chairperson of the Kilburn-based Women's Housing Association, was concerned for the safety and security of women and children trying to flee abusive situations.

"We will be pursuing a formal inquiry to try and get this website closed down," Ms Barnes said.

Telecommunications industry sources last night said initial inquiries indicated an overseas computer hacker had gained access to the Integrated Public Number Database, which contains the names, addresses, phone numbers and phone location of all residential and business customers in the country. The database is managed by Telstra on behalf of the telecommunications industry.

The INPD is used by telcos to develop their own directories and is also available to authorised members of the Australian police and emergency services.

ACMA last night confirmed it had started investigating the source of the information on the website.

Privacy Commissioner Karen Curtis was last night preparing to launch a formal investigation.

The domain http://www.boonghunter.com is being redirected to http://www.indigenoushunter.com/. I understand the term "boong" (which I must confess I've never heard before) is an offensive term used to refer to aboriginal Australians.

Incident: Personal information about 26.5M US veterans on laptop stolen

An employee of the United States Department of Veterans' Affairs took home a laptop containing data on 26.5 million American veterans, which was subsequently stolen from his home. Authorities do not think the information has been misused:

Personal Data of 26.5M Veterans Stolen - Yahoo! News

WASHINGTON - Personal data, including Social Security numbers of 26.5 million U.S. veterans, was stolen from a Veterans Affairs employee this month after he took the information home without authorization, the department said Monday.

Veterans Affairs Secretary Jim Nicholson said there was no evidence so far that the burglars who struck the employee's home have used the personal data — or even know they have it. The employee, a data analyst whom Nicholson would not identify, has been placed on leave pending a review.

"We have a full-scale investigation," said Nicholson, who said the FBI, local law enforcement and the VA inspector general were investigating. "I want to emphasize, there was no medical records of any veteran and no financial information of any veteran that's been compromised."

"We have decided that we must exercise an abundance of caution and make sure our veterans are aware of this incident," he said in a conference call with reporters.

The theft of veterans' names, Social Security numbers and dates of birth comes as the department has come under criticism for shoddy accounting practices and for falling short on the needs of veterans.

Last year, more than 260,000 veterans could not sign up for services because of cost-cutting. Audits also have shown the agency used misleading accounting methods and lacked documentation to prove its claimed savings.

Veterans advocates immediately expressed alarm....

The federal government has put up an information page here:

Latest Information on Veterans Affairs Data Security -- Firstgov.gov

Latest Information on Veterans Affairs Data Security

The Department of Veterans Affairs (VA) has recently learned that an employee, a data analyst, took home electronic data from the VA, which he was not authorized to do. This behavior was in violation of VA policies. This data contained identifying information including names, social security numbers, and dates of birth for up to 26.5 million veterans and some spouses, as well as some disability ratings. Importantly, the affected data did not include any of VA's electronic health records nor any financial information. The employee's home was burglarized and this data was stolen. The employee has been placed on administrative leave pending the outcome of an investigation.

Appropriate law enforcement agencies, including the FBI and the VA Inspector General's office, have launched full-scale investigations into this matter. Authorities believe it is unlikely the perpetrators targeted the items because of any knowledge of the data contents. It is possible that they remain unaware of the information which they possess or of how to make use of it. However, out of an abundance of caution, the VA is taking all possible steps to protect and inform our veterans.

The VA is working with members of Congress, the news media, veterans service organizations, and other government agencies to help ensure that veterans and their families are aware of the situation and of the steps they may take to protect themselves from misuse of their personal information. The VA will send out individual notification letters to veterans to every extent possible. Additionally, working with other government agencies, the VA has set up a manned call center that veterans may call to get information about this situation and learn more about consumer identity protections. That toll free number is 1-800-FED INFO (1-800-333-4636). The call center will operate from 8 am to 9 pm (EDT), Monday-Saturday as long as it is needed.

Here are some questions you may have about this incident, and their answers.

I'm a veteran. How can I tell if my information was compromised?

At this point there is no evidence that any missing data has been used illegally. However, the Department of Veterans Affairs is asking all veterans to be extra vigilant and to carefully monitor bank statements, credit card statements and any statements relating to recent financial transactions. If you notice unusual or suspicious activity, you should report it immediately to the financial institution involved and contact the Federal Trade Commission for further guidance.

What is the earliest date at which suspicious activity might have occurred due to this data breach?

The information was stolen from an employee of the Department of Veterans Affairs during the month of May 2006. If the data has been misused or otherwise used to commit fraud or identity theft crimes, it is likely that veterans may notice suspicious activity during the month of May.

I haven't noticed any suspicious activity in my financial statements, but what can I do to protect myself and prevent being victimized by credit card fraud or identity theft?

The Department of Veterans Affairs strongly recommends that veterans closely monitor their financial statements and review the guidelines provided on this webpage or call 1-800-FED-INFO (1-800-333-4636).

Should I reach out to my financial institutions or will the Department of Veterans Affairs do this for me?

The Department of Veterans Affairs does not believe that it is necessary to contact financial institutions or cancel credit cards and bank accounts, unless you detect suspicious activity.

Where should I report suspicious or unusual activity?

The Federal Trade Commission recommends the following four steps if you detect suspicious activity:

  1. Step 1 – Contact the fraud department of one of the three major credit bureaus:

    Equifax: 1-800-525-6285; http://www.firstgov.gov/external/external.jsp?url=http://www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241

    Experian: 1-888-EXPERIAN (397-3742); http://www.firstgov.gov/external/external.jsp?url=http://www.experian.com; P.O. Box 9532, Allen, Texas 75013

    TransUnion: 1-800-680-7289; http://www.firstgov.gov/external/external.jsp?url=http://www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790

  2. Step 2 – Close any accounts that have been tampered with or opened fraudulently.
  3. Step 3 – File a police report with your local police or the police in the community where the identity theft took place.
  4. Step 4 – File a complaint with the Federal Trade Commission by using the FTC's Identity Theft Hotline by telephone: 1-877-438-4338, online at http://www.firstgov.gov/external/external.jsp?url=http://www.consumer.gov/idtheft, or by mail at Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington DC 20580.

I know the Department of Veterans Affairs maintains my health records electronically; was this information also compromised?

No electronic medical records were compromised. The data lost is primarily limited to an individual's name, date of birth, social security number, in some cases their spouse's information, as well as some disability ratings. However, this information could still be of potential use to identity thieves and we recommend that all veterans be extra vigilant in monitoring for signs of potential identity theft or misuse of this information.

What is the Department of Veterans Affairs doing to insure that this does not happen again?

The Department of Veterans Affairs is working with the President's Identity Theft Task Force, the Department of Justice and the Federal Trade Commission to investigate this data breach and to develop safeguards against similar incidents. The Department of Veterans Affairs has directed all VA employees complete the "VA Cyber Security Awareness Training Course" and complete the separate "General Employee Privacy Awareness Course" by June 30, 2006. In addition, the Department of Veterans Affairs will immediately be conducting an inventory and review of all current positions requiring access to sensitive VA data and require all employees requiring access to sensitive VA data to undergo an updated National Agency Check and Inquiries (NACI) and/or a Minimum Background Investigation (MBI) depending on the level of access required by the responsibilities associated with their position. Appropriate law enforcement agencies, including the Federal Bureau of Investigation and the Inspector General of the Department of Veterans Affairs, have launched full-scale investigations into this matter.

Where can I get further, up-to-date information?

The Department of Veterans Affairs has set up a special website and a toll-free telephone number for veterans that features up-to-date news and information. Please check this webpage for further updates or call 1-800-FED-INFO (1-800-333-4636).

Page last updated, May 22, 2006

Sunday, May 21, 2006

Almost perfect accuracy still labels hundreds as criminals in the UK

99.97% accuracy sounds pretty good, unless you are one of the 1500 people in the UK incorrectly labeled as a criminal.

The Criminal Records Bureau is unapologetic that it errs on the side of caution in managing its databases. See: BBC NEWS | UK | Hundreds wrongly dubbed criminals.

Scottish 'Big Brother' plan to profile every child in massive database

Child protection authorities in Scotland are planning to phase in an enormous database on all children born in the country in an effort to identify children at risk of abuse. Not surprisingly, the initiative is being referred to as "Orwellian":

Edinburgh Evening News - Edinburgh - 'Big Brother' plan to store every baby on computer: "'Big Brother' plan to store every baby on computer

EVERY newborn child in Edinburgh and the Lothians faces being stored on a "Big Brother-style" national database under a major shake-up of Scotland's child protection system.

The computerised files would be kept "live" until the child reaches the age of 16 and will include personal details of their health, family life and education.

The child's file will be closed when they reach 16, but it will then be kept on record for up to 75 years.

Teachers, police, GPs and social workers will be able to access the files to check for signs of abuse.

If the child is regularly late for school or their behaviour changes dramatically, the details could be put into the system where it is hoped it will build up a picture of the child's overall welfare.

...

The national database is being planned by ministers to revolutionise information sharing between different agencies and improve protection for vulnerable children.

The move follows a series of high-profile cases of child protection failures in Edinburgh and the Lothians.

In March, two-year-old East Lothian boy Derek Doran died after drinking his parents' methadone. He had been found dead in his bed by his mother last December at their home at Elphinstone, near Tranent.

And last year, three-year-old Michael McGarrity was found alone in a Leith flat with the body of his drug-addict mother, having survived for six weeks on scraps of food.

...

The scheme is to be piloted in Highland Council from September 3 before being extended across the country, according to the Scottish Executive.

Every newborn child in the Highland region and around 500 Inverness schoolchildren will be logged into the system during the trial.

Families have been told they will be consulted about the nature of information that is held.

A spokesman for the Scottish Executive said: "Highland's experience will also be used to help other local authorities prepare for the roll-out of the new systems."

But a human rights expert warned the new system may be open to abuse.

John Scott, former head of the Scottish Human Rights Centre, said: "The positive aspects of this are fairly obvious but bringing so much information into one place brings with it the scope for abuse.

"The important thing it to ensure there are very clear safeguards in place."

Thanks to Pogo Was Right for the link.

DHS Privacy Office Bashes RFID Technology To Track People

This is interesting (and unexpected):

DHS Privacy Office Bashes RFID Technology To Track People - Yahoo! News:

The Department of Homeland Security's Privacy Office has issued a draft report that strongly criticizes privacy and security risks of using radio frequency identification devices for human identification. Public comment on the paper is being taken until May 22.

The privacy office says the technology offers little performance benefit for identification purposes compared with other methods and could turn the government's identification system into a surveillance system.

A new generation of privacy attitudes

Yesterday's San Francisco Chronicle has a very interesting article on attitudes toward privacy held by the "younger generation". You know them: they're more than happy to detail their most personal thougts in blogs and on MySpace but freak out when they think someone from the government might be listening.

The age of privacy / Gen Y not shy sharing online -- but worries about spying

Over the past 12 years, Melissa Gira has cultivated a daily audience of 4,000 strangers, whom she lets watch her most intimate moments on her Web site. They have watched her wake up and recall her dreams, and they have watched her suffer through breakups. In more recent years, some have paid hourly fees to watch her perform "digital sex."

Gira, a.k.a. m. Shakti, was one of the first "Web cam girls" who, using a real-time camera, intentionally exposed the details of her life online 24 hours a day, seven days a week.

"I shared secrets there I wouldn't share with anyone else," Gira said. "Things I said only to therapists, best friends."

Yet when the 28-year-old San Francisco resident learned last week, along with millions of Americans, that the National Security Agency had collected the telephone records of unsuspecting citizens, it crossed Gira's privacy line.

Saturday, May 20, 2006

Printing card data not smart

David Canton's regular IT column in the London Free Press is about the practice of printing full debit and credit card numbers on receipts. (See: London Free Press - David Canton - Printing card data not smart.)

This is a practice that really bugs me. In three days in Toronto last week, every debit and credit card receipt I accumulated had my full number and expiry date printed on it. I was in Toronto for a Canadian Institute conference on Privacy Compliance, which I co-chaired. The topic of receipts came up in discussions with the Assistant Privacy Commissioner of Canada, the Alberta Commissioner and the British Columbia Commissioner. The Alberta Commissioner, Frank Work, discussed the incident that David mentions in his column and one of the more interesting things he discovered in his investigation: there's a black market for these receipts and they are $25.00 each.

The assistant federal commissioner, Heather Black, mentioned that the Commissioner's office had canvassed most of the POS suppliers in Canada, who assured them that they are rolling out upgraded machines as fast as they can. Not fast enough, in my personal opinion.

For those retailers whose receipts are generated through a full POS system, I expect it's just a software patch that would do the job. The dedicated card terminals may need something more.

But even if it is a "hardware problem", why not give cashiers a jiffy marker to black out the digits? There's no reason to have them on the receipt since it is all settled electronically and the transaction code is enough to reconcile the day's accounts. As for me (at least in restaurants, where I'm asked to sign the slip and have the time to linger), I black out my card number myself.

Thursday, May 18, 2006

Schneier on The Eternal Value of Privacy

Run, do not walk, to read this very interesting comment by Bill Schneier: Wired News: The Eternal Value of Privacy. Here's a taste:

The most common retort against privacy advocates -- by those in favor of ID checks, cameras, databases, data mining and other wholesale surveillance measures -- is this line: "If you aren't doing anything wrong, what do you have to hide?"

Some clever answers: "If I'm not doing anything wrong, then you have no cause to watch me." "Because the government gets to define what's wrong, and they keep changing the definition." "Because you might do something wrong with my information." My problem with quips like these -- as right as they are -- is that they accept the premise that privacy is about hiding a wrong. It's not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.

Nova Scotia Court of Appeal decision on physician billing records privacy

I recently blogged about a recent decision from the Nova Scotia Court of Appeal that held individual physician billing information should not be disclosed under the province's Freedom of Information and Protection of Privacy Act (See: The Canadian Privacy Law Blog: Doctors' billings in Nova Scotia is private information under FOIPOP). This is a different result than that reached in Manitoba and British Columbia and is an important interpretation of the Act in Nova Scotia.

The decision is not yet up at the Courts' website, but here's a copy: 2006 NSCA 59

Doctors Nova Scotia v. Nova Scotia (Department of Health)

Doctors Nova Scotia (Appellant) v. Her Majesty the Queen, in Right of the
Province of Nova Scotia, as represented by the Minister of Health and Joanna
Redden (Respondents)

Nova Scotia Court of Appeal

Cromwell J.A., Fichaud J.A., and Oland J.A.

Heard: April 5, 2006
Judgment: May 12, 2006
Docket: C.A. 255020

Counsel: Cynthia Scott for Appellant
Edward Gores, Q.C. for Respondent, Her Majesty the Queen
Graham Steele for Respondent, Joanna Redden

Fichaud J.A.:

     [1]Ms. Redden applied under Nova Scotia's Freedom of Information and Protection of Privacy Act for disclosure of records with the provincial Department of Health showing named physician billings from 2000 to 2004, later revised to 2002-2004. The Supreme Court ordered disclosure. Doctors Nova Scotia, representing physicians, appeals. Doctors Nova Scotia says that the disclosure of named physicians' individual billings would unreasonably invade the physicians' privacy. It is common ground that the request is for personal information. There are two issues. (1) Does the requested information reveal details of "a contract to supply services to a public body" (which is deemed not to unreasonably invade privacy) under s. 20(4)(f) of the Act? (2) If not, does a consideration of the circumstances cited in s. 20(2) rebut the statutory presumption that disclosure would unreasonably invade the physicians' privacy?

Background

     [2]The Freedom of Information and Protection of Privacy Act, S.N.S. 1993, c. 5, as am. ("Act") prescribes the procedure for access to records possessed by public bodies, including provincial government departments. On July 21, 2004, the respondent Joanna Redden applied under s. 6(1) of the Act for copies of records possessed by the Department of Health showing "the total physician billing, by physician, in Nova Scotia from 2000 to the present." Ms. Redden is on staff with the New Democratic Party.

     [3]Under s. 22 of the Act, the Department of Health gave notice of Ms. Redden's request to the appellant Doctors Nova Scotia ("DNS"). DNS represents physicians in the Province, and was formerly known as the Medical Society of Nova Scotia. DNS objected to Ms. Redden's request. DNS said the disclosure would unreasonably invade physicians' privacy.

     [4]The Department of Health responded to DNS with a letter of September 17, 2004 stating:

The Department of Health has received your written representation explaining that you believe the information should be partially disclosed, without names attached.

Following consideration of the information, your representation, and the relevant provisions of the Act, the Department of Health has reached a decision to grant full access to the requested information.

     [5]DNS filed a request for a review of the Department's decision. The review officer wrote a report dated January 28, 2005. The report notes:

While DNS had no objection to the disclosure of individual MSI billings, it argued that attaching the names of the doctors to the billings was contrary to the requirements of s. 20 of the FOIPOP, a mandatory exemption which obliges a public body to refuse to disclose personal information if such disclosure constituted an unreasonable invasion of an individual's personal privacy.

     The review officer concluded that the requested information revealed details of a contract to supply a service to the provincial government. By s. 20(4)(f) of the Act, such a disclosure is deemed not to unreasonably invade privacy. The review officer recommended disclosure.

     [6]DNS appealed to the Nova Scotia Supreme Court under s. 42(1) of the Act. Section 42(1) states that the Supreme Court "determines the matter de novo." Justice Douglas MacLellan heard the appeal on August 8, 2005. DNS filed an affidavit of Dr. Gary Ernest, the director of DNS. Ms. Redden filed an affidavit of Lori Errington, a researcher with the NDP caucus office.

     [7]The chambers judge issued a decision on August 30, 2005, dismissing DNS' appeal (2005 NSSC 244). He ruled that the disclosure was deemed not to be an unreasonable invasion of privacy by s. 20(4)(f). This provision reads:

20(4) A disclosure of personal information is not an unreasonable invasion of a third party's personal privacy if

...

(f) the disclosure reveals financial and other similar details of a contract to supply goods or services to a public body.

     Later I will discuss the chambers judge's reasoning. He determined:

[30] I conclude that the contract between Doctors Nova Scotia and the Department of Health is a contract for the supply of services and that the fees paid under the contract are financial details of the contract and therefore come within s. 20(4)(f) of the Act.

...

[42] In light of my decision to find that the information requested is covered by s. 20(4)(f) of the Act it is not necessary for me to deal with whether the Third Party here has shown that the presumption of an unreasonable invasion of privacy has been rebutted in light of the fact that all parties agree that the information involved does contain personal information.

     [8]DNS appeals to this court. DNS' factum defines the issue as follows:

119 . . . the Appellants have consented to release of the individual billing amounts on the condition that the names of physicians are severed, substituting numbers for names.

120. The only issue in this case is whether names of physicians are required to be disclosed in connection with the amount of their individual billings.

Appeal Jurisdiction

     [9]The Act says nothing of appeals from the Supreme Court. Section 38(1) of the Judicature Act, R.S.N.S. 1989, c. 240 states that, except where otherwise provided, an appeal lies to the Court of Appeal from any decision of the Supreme Court. Section 38(1) permits an appeal from a Supreme Court decision made under s. 42(1) of the Freedom of Information and Protection of Privacy Act: O'Connor v. Nova Scotia, 2001 NSCA 132, at ¶ 30; Dickie v. Nova Scotia (Department of Health), [1999] N.S.J. No. 116 (C.A.).

Standard of Review

     [10]This is an appeal from a de novo determination by the Supreme Court, not from a judicial review of a decision by an administrative tribunal. So the pragmatic and functional approach does not determine the standard of review. Rather, the standard of review for the Court of Appeal is that which normally applies to a civil appeal from a decision of first instance by a lower court. In O'Connor, at ¶ 28 - 34, Justice Saunders summarized the principle:

Accordingly, in the absence of clear statutory direction to the contrary, the standard of review under the FOIPOP Act of a lower court's findings of fact should be the same as in other civil cases, that is obvious, palpable and overriding error. In matters of law, for example conclusions with respect to the interpretation to be given to legislation, the test is one of correctness. ...

Issues

     [11]The issues turn on s. 20 of the Act. The pertinent wording is:

Section 20

(1) The head of a public body shall refuse to disclose personal information to an applicant if the disclosure would be an unreasonable invasion of a third party's personal privacy.

(2) In determining pursuant to subsection (1) or (3) whether a disclosure of personal information constitutes an unreasonable invasion of a third party's personal privacy, the head of a public body shall consider all the relevant circumstances, including whether

(a) the disclosure is desirable for the purpose of subjecting the activities of the Government of Nova Scotia or a public body to public scrutiny;

(b) the disclosure is likely to promote public health and safety or to promote the protection of the environment;

(c) the personal information is relevant to a fair determination of the applicant's rights;

(d) the disclosure will assist in researching the claims, disputes or grievances of aboriginal people;

(e) the third party will be exposed unfairly to financial or other harm;

(f) the personal information has been supplied in confidence;

(g) the personal information is likely to be inaccurate or unreliable; and

(h) the disclosure may unfairly damage the reputation of any person referred to in the record requested by the applicant

(3) A disclosure of personal information is presumed to be an unreasonable invasion of a third party's personal privacy if

...

(f) the personal information describes the third party's finances, income, assets, liabilities, net worth, bank balances, financial history or activities, or creditworthiness;

(4) A disclosure of personal information is not an unreasonable invasion of a third party's personal privacy if

...

(f) the disclosure reveals financial and other similar details of a contract to supply goods or services to a public body; [emphasis added]

     [12]In Dickie, at ¶ 4 - 18, Justice Cromwell outlined the analytical approach to s. 20. To similar effect: Re House and 144900 Canada Inc. 2000 Carswell N.S. 429 (NSSC) per Moir, J. at ¶ 6. In summary, the court should ask the following questions:

1. Do the requested records contain "personal information" of the third party, in this case the physicians?

2. If so, does s. 20(4) deem the disclosure not to be an unreasonable invasion of the physicians' privacy? If there is deeming by s. 20(4), the information should be disclosed. Section 20(4) does not allow rebuttal.

3. If there is no deeming by s. 20(4), does s. 20(3) presume the disclosure to be an unreasonable invasion of the physicians' privacy? If so, there is a rebuttable presumption that the information should not be disclosed.

4. If there is a presumption by s. 20(3), is the presumption rebutted by a consideration of the circumstances under s. 20(2)? If so, the information should be disclosed. If not, then s. 20(1) directs that the personal information not be disclosed.

     Those are the issues before a Supreme Court judge. The issue in the Court of Appeal is whether the chambers judge committed an appealable error under the standard of review respecting these four questions.

     [13]The first and third questions are not in contention on this appeal:

(a) Paragraphs 3(1)(i)(i) and (vii) define "personal information" as including an "individual's name" and "information about the individual's ... financial history". It is not disputed that the requested income information of named physicians is "personal information" of the physicians. The chambers judge made no contrary finding, and his analysis under s. 20(4)(f) assumes that the requested records included "personal information" of physicians. The answer to the first question is "yes".

(b) Ms. Redden acknowledged in her factum that, if s. 20(4)(f) does not apply, then there is a rebuttable presumption under 20(3)(f). Section 20(3)(f) states that a disclosure of personal information is presumed to be an unreasonable invasion of the third party's privacy if the personal information describes the third party's "income". The chambers judge disposed of the matter under s. 20(4)(f), and did not consider s. 20(3)(f). The requested information relates to physicians' income. I agree that, if s. 20 (4)(f) does not apply, the answer to the third question is "yes".

     [14]The argument in this court focussed on the second and fourth questions. Those are the issues I will address.

Contract to Supply Services to a Public Body - s. 20(4)(f)

     [15]The chambers judge disposed of the claim under s. 20(4)(f), which deems the disclosure not to unreasonably invade the physicians' privacy if the disclosure reveals details "of a contract to supply . . . services to a public body".

     [16]The only contract in evidence, or considered by the chambers judge, was the Agreement dated April 1, 2004 between the Medical Society of Nova Scotia (now "DNS") and Her Majesty the Queen in right of the Province ("Contract"). The Contract provides a Fee Tariff for "Insured Medical Services".

     [17]Some medical services are provided under arrangements other than fee for service under this Contract. Article 3.1 of the Contract mentions the collective agreement between PARI-MP (which represents medical residents in the Maritime Provinces) and various healthcare facilities. "Alternative Funding Programs" are defined by article 1(1) as:

funding mechanisms, other than Fee- For-Service which are documented in the contracts anticipated by article 8 of this Agreement . . .

     Article 12.5 notes that physicians may provide insured medical services pursuant to a salaried arrangement with district health authorities.

     [18]Ms. Redden's request for information relates only to services by physicians on a fee for service basis as prescribed in the Contract of April 1, 2004. No other contract is in evidence. I express no opinion whether any such other contract, be it a collective agreement involving PARI-MP or an Alternative Funding Program or a salaried arrangement, is or is not a "contract to supply services to a public body" under s. 20(4)(f).

     [19]Concerning the requested information under the Contract, the chambers judge began by posing the question:

[25] Does Section 20(4)(f) apply to the requested information?

     [20]Clearly the Contract of April 1, 2004 was a "contract", the disclosure would reveal financial details deriving from that contract, and physicians provide medical "services". The issue under s. 20(4)(f) is whether, under the Contract, physicians provide those services "to a public body".

     [21]The chambers judge noted repeatedly that physicians' services are provided to individual patients:

[26] . . . Each doctor bills individually and is paid individually for each service provided to a resident of Nova Scotia.

[27] . . . I interpret the contract involved here to clearly set out the rights of doctors to bill the Province provided they provide the service to a resident of Nova Scotia . . .

[28] . . . doctors are paid for services provided to a resident . . .

[29] . . . The service provided by the doctors are [sic] not for the Department of Health but for residents of the Province. As Doctors Nova Scotia speaks for the doctors so does the Department of Health speak for the residents of Nova Scotia.

     [22]The chambers judge found that the service provided by physicians was "not for the Department of Health but for residents of the Province". Nowhere does his decision say that physicians provided a service to the Department of Health.

     [23]The chambers judge then said:

[30] I conclude that the contract between Doctors Nova Scotia and the Department of Health is a contract for the supply of services and that the fees paid under the contract are financial details of the contract and therefore come within Section 20(4)(f) of the Act.

. . .

[34] I interpret this section [20(4)(b)] to be very broad in scope and basically indicating that if a person has a financial contract with a government body to provide goods or services you should expect that it is going to become public knowledge through Freedom on Information.

     [24]The chambers judge arrived at his conclusion by interpreting s. 20(4)(f) as if it read:

. . . the disclosure reveals financial and other similar details of a contract with a public body to supply goods or services.

     The chambers judge has, with respect, misread the provision. The point is not whether the Contract is signed with a public body. Under the Contract, the services must be supplied to a public body.

     [25]In his able submission, counsel for Ms. Redden urged the court to interpret s. 20(4)(f) "purposively", instead of "literally", to promote disclosure. The court is to interpret the Act. The words of the Act are to be read in their entire context, in their grammatical and ordinary sense harmoniously with the scheme of the Act, the object of the Act and the intention of the legislature: R. v. Sharpe, [2001] 1 S.C.R. 45 at ¶ 33 per McLachlin, C.J.C., and authorities cited. The starting point is the "grammatical and ordinary sense of the words". The legislature has chosen to enact that the deeming by s. 20(4)(f) applies only when the disclosure relates to details of a contract to provide "services to a public body". Section 2 of the Act lists the statutory objects to include both promotion of public access to records and protection of privacy for personal information. The court cannot ignore the clear statutory direction simply to promote disclosure per se. It is the function of the legislature, not the court, to decide whether or not the words "services to a public body" should cease to qualify the deeming in s. 20(4)(f).

     [26]A review of the Contract and its enabling legislation establishes that the physicians' services involved in this appeal, provided on a fee for service basis, are not "services to a public body" and the Contract does not "supply services to a public body".

     [27]The Contract provides the mechanism for negotiating a Fee Tariff. Article 1(6) defines "Fee Tariff" as a tariff for "Insured Medical Services". Article 1(9) defines "Insured Medical Services" as "the medical services that Insured residents are entitled to receive under the provisions of the Health Services and Insurance Act . . ." [emphasis added]. "Insured Residents" are defined by article 1(8) of the Contract as "residents of Nova Scotia as defined by the Health Services and Insurance Act . . ."

     [28]The Health Services and Insurance Act, R.S.N.S. 1989, c. 197, as amended, ("HSIA") s. 2(h)(a) defines "insured professional services" as "the services with respect to which a resident is entitled to receive insurance under the provisions of this Act and the Regulations". "Resident" is defined by s. 1(l) as "resident of the Province as defined in the Regulations". Various provisions [e.g. ss. 17(2)(a), (b) and (d); 27(1); 28(1); 29(1) ] state that the insured professional service is rendered "to a resident". Nothing in the HSIA says physicians' services are to the Province. Section 3(2), the heart of the HSIA, states:

(2) Subject to this Act and the regulations, all residents of the Province are insured upon uniform terms and conditions in respect of the payment of the cost of insured professional services to the extent of the tariffs.

     [29]Section 13(1)(a) authorizes the Minister of Health to negotiate "compensation for insured professional services on behalf of the Province with the professional organization representing providers". Section 13(A) authorizes the Minister of Health to "enter into an agreement with the Society [now DNS] on behalf of all duly qualified medical practitioners in the Province who provide insured medical services concerning compensation for insured medical services . . .". These provisions that enable the Contract are subject to s. 23 of the HSIA:

Nothing in this Act

(a) prevents a person from choosing his own provider;

(b) prevents a provider from practising as a provider outside the M.S.I. Plan; or

(c) imposes an obligation upon a provider to treat a person.

     [30]In my view, the Contract and HSIA display the following dynamics. The Contract establishes a Tariff for "insured medical services", and defines "insured medical services" to mean services to the patient. The Contract is authorized by the HSIA. Under that HSIA, "insured professional services" are services to the patient. The Province insures the patient for the cost of the services to the extent of the tariffs. The Act does not interfere with, or inject the Province into, the individual choices of the patient and physician to engage in the professional relationship - confirmed by s. 23. The Department and the physician (through DNS) contract to establish the tariff, and the Province as insurer pays the physician directly. But the physician provides the medical service to the patient, not to the Province.

     [31]The chambers judge (¶ 29 - quoted earlier) noted that "the Department of Health speak[s] for residents of Nova Scotia." It is unclear how this proposition channelled the chambers judge's reasoning. It appears that the chambers judge may have characterized the Department as an agent for the residents/patients. To this I have two comments. First, the HSIA does not express an agency role for the Department. The HSIA describes the Province as an insurer. Second, even if there is an implied or constructive agency (about which I express no opinion), that does not redirect the physicians' medical services to the Province. An agency does not bestow on the agent the benefit of a service rendered to the principal.

     [32]Counsel for Ms. Redden says that it should not matter who "consumes" the service. Counsel cited examples of contracts with government to build roads, schools and hospitals. Another example discussed at the hearing would be a contract with government for garbage collection. Counsel says the contractor provides these services to the government. In my view, these examples differ in principle from physicians' services. In these examples the contract with the public body is the source of the third party's commitment to build the road, school or hospital or collect garbage. So the service may be provided to the public body though it benefits individuals. The Contract of April 1, 2004 systemizes the Province's role as insurer, but is not the source of a physician's commitment to provide medical service. That commitment results from the individual dealings between physician and patient, as acknowledged by s. 23 of the HSIA.

     [33]This was not a contract to supply medical "services to a public body". Section 20(4)(f) does not apply. The standard of review for errors of law is correctness. With respect, the chambers judge erred in law by ruling that s. 20(4)(f) deemed this disclosure not to be an unreasonable invasion of the physicians' privacy.

Rebuttal of Presumption - s. 20(2)

     [34]Ms. Redden's factum acknowledges that, if s. 20(4)(f) does not apply, then s. 20(3)(f) does apply. The requested disclosure involves personal information describing physicians' "income". Section 20(3)(f) presumes this to be an unreasonable invasion of the physicians' privacy, unless rebutted under s. 20(2). I will turn to s. 20(2).

     [35]The chambers judge did not consider s. 20(2). There is no issue of appellate deference on that topic.

     [36]In Dickie, this court considered the approach to the rebuttal of the presumption. Justice Cromwell stated:

55 However, the judge's balancing of the factors was incorrect because of the error in failing to find the disputed information was personal information related to employment history. In the case of personal information related to employment history, the Act presumes that the balance is in favour of privacy because it presumes that disclosure of personal information relating to employment history is an unreasonable invasion of personal privacy. The judge held, in effect, that the citizen's right to know trumps a third party employee's right to privacy, saying that if an employee "... apparently or actually misuses the power vested in that employee as a consequence of employment, an aggrieved citizen has a right to be adequately advised of the nature and the results of an investigation into the allegation of wrongdoing.." I think the judge erred in reaching this conclusion when the explicit presumption of the Act is the opposite. The error was not in failing to do the balancing but in failing to start the balancing with the presumption in favour of privacy of this type of information.

     The s. 20(2) analysis is a balancing exercise, but not from a level scale. It begins with the weighted presumption under s. 20(3)(f) that the disclosure would unreasonably invade the physicians' privacy. The question is whether the circumstances cited in s. 20(2) overcome this presumption. The proponent of rebuttal must define and establish her proposition.

     [37]Section 20(2) is quoted earlier (¶ 11). In the circumstances here, there is nothing in ¶ 20(2)(c) through (h) to support the rebuttal of the presumption that disclosure would unreasonably invade the physicians' privacy. The questions are whether the presumption is rebutted by a consideration of "all the relevant circumstances" in the prefix, whether the disclosure would better subject government to public scrutiny under s. 20(2)(a) and whether the disclosure would promote public health under s. 20(2)(b).

     [38]Ms. Errington's affidavit says that the requested information is public in British Columbia and Manitoba, and that in Nova Scotia incomes of civil servants, teachers and professors are publicized. Her affidavit says that the Nova Scotia government spends over half a billion dollars per annum for medical payments and grants. Ms. Redden's factum repeats these submissions. Nothing in the evidence or Mr. Redden's factum focuses on the listed factors in s. 20(2). The Province's factum does cite s. 20(2)(a).

     [39]Physicians' billing data is publicized in British Columbia and Manitoba under specific statutory provisions that do not exist in Nova Scotia: Financial Information Act, R.S.B.C. 1996, c. 140 and Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165, s. 22(4)(g); Public Sector Compensation Disclosure Act, C.C.S.M. 1996, c. P265, s. 5. In Nova Scotia, the disclosure of incomes of teachers, civil servants and professors does not involve the issues under s. 20 that determine the outcome of Ms. Redden's request for the physicians' billings.

     [40]The Province spends over half a billion dollars annually on medical services. If the question was simply "Should there be disclosure of how the government spends over half a billion dollars per annum?" I would agree. Disclosure would promote public scrutiny of the spending activities of the government in the field of public health. This would engage s. 20(2)(a) and (b). But that is not the question. DNS does not object to the disclosure of the requested information, provided only that the names of individual physicians are deleted (or replaced with numbers). Disclosure of global funding, or categories of funding, or details (other than names) of funding for physicians' insured services is not contested. The only question is whether the names of individual physicians should be included (or replaced by numbers). If the names were deleted, the billings data, to the extent that the information would not then relate to an identifiable individual, would not be "personal information" and s. 20 would not bar disclosure.

     [41]The evidence contains nothing to support the conclusion that the disclosure of the names of individual physicians would better subject the government to public scrutiny or improve public health.

     [42]At the hearing of his appeal, counsel for Ms. Redden referred to passages in the transcript of his submissions to the chambers judge. Counsel said to the chambers judge, "I'm not going to give evidence", but then described "hypotheticals". An example is a hypothetical municipality that considers whether to levy a tax to replace a physician or entice a physician to locate in the community. The physician's income would be relevant to the policy choice of the municipal council - to calculate the level of the special tax. Counsel concluded by saying to the chambers judge: "I make no claims about how close these are to actual fact situations in Nova Scotia."

     [43]Counsel may hypothesize how the name of a physician might connect to a government decision. But there is no support in the evidence for this speculation. Free-wheeling conjecture does not establish a proposition to rebut the statutory presumption. In my view, the consideration of the circumstances under s. 20(2) here does not rebut the presumption under s. 20(3)(f) that the disclosure would unreasonably invade the physicians' privacy.

Conclusion

     [44]The disclosure of the names of individual physicians would be an unreasonable invasion of the physician's privacy. By s. 20(1), the names of individual physicians should not be disclosed, and I would allow the appeal in that respect. The parties should bear their own costs.

Wednesday, May 17, 2006

Use big words

A friend sent me this earlier today and I thought I'd pass it along:

Canadian privacy leaders speak out about privacy and digital rights management

Some of the biggest names in privacy in Canada have joined together to lobby the new Conservative government about potential privacy effects of legislative changes enshrining digital rights management in Canadian copyright law. The new group (IntellectualPrivacy.ca) has sent a letter and a background paper to Culture minister Maxime Bernier asking that privacy issues be carefully considered before embarking on changes to copyright laws that could have a significant privacy impact upon Canadians. The privacy commissioners of Canada, Ontario and British Columbia have also each sent separate letters to the Minister on the topic.

In short, the group is seeking assurances from the government that:

  • any proposed copyright reforms will prioritize privacy protection by including a full privacy consultation and a full privacy impact assessment with the introduction of any copyright reform bill;
  • any proposed anti-circumvention provisions will create no negative privacy impact; and
  • any proposed copyright reforms will include pro-active privacy protections that, for example, enshrine the rights of Canadians to access and enjoy copyright works anonymously and in private.

Telcos deny giving customer calling info to NSA

In the fallout of the most recent privacy scandal (The Canadian Privacy Law Blog: NSA collection of info on ordinary Americans wider than originally suspected), Verizon and Bellsouth are denying having given calling information to the National Security Agency in the first place. (See: NPR : Phone Companies Distance Themselves from NSA.) Another major carrier, Qwest, got some publicity for first saying they were asked by the NSA but refused. (See: Qwest Goes From the Goat to the Hero - New York Times.) There's nothing I can find in a quick search of the conventional media or in the blogosphere suggesting that AT&T have issued any statements one way or another.

Tuesday, May 16, 2006

Texas AG sues to prevent unfettered sale of bankrupt company's customer data

(Update 20060516) Here's an interesting lesson about assuming that RSS feeds are recent: The story below that I posted about earlier today is actually six years old. It was originally published in October 2000. Thanks to the reader who e-mailed to point that out! (I thought it was oddly familiar ...)

The Attorney General of Texas has stepped in to try to limit the resale of defunct Living.com's customer data as part of a bankruptcy sale. According to Computer World, the AG has filed a lawsuit against the company's bankruptcy trustee to require the destruction of sensitive financial customer information (credit card data, social security numbers, etc) and a requirement that the customers in question be given a chance to opt out before their remaining data is transferred. See: Texas Attorney General Sues to Stop Living.com Data Sale.

Proposed amendments to Alberta's access law slammed

Critics are urging citizens to call and e-mail legislators about proposed amendments to Alberta's access to information law that will keep certain government information unreachable for a longer period of time:

The Calgary Sun - Canada's 'private' province slammed:

New secrecy laws irk Alberta critics

By DARCY HENTON, LEGISLATURE BUREAU

EDMONTON -- Critics say the most secretive government in Canada is about to get even worse with new legislation it hopes to ram through the House this week.

They say Alberta's Freedom of Information and Privacy law is already so restrictive that even government MLAs have joked FOIP actually stands for (expletives deleted) It's Private.

Liberal Government Services critic Mo Elsalhy says new amendments to exclude ministerial briefing notes from being accessed for five years would have prevented the uncovering of the AdScam scandal.

'Everyone is talking about openness and transparency. This government is going in the opposite direction.

'They're adding more layers of secrecy to a government that's already too secretive.'

The FOIP amendments also will delay access to documents from the government's chief internal auditor for 15 years and include other measures to delay the release of information, Elsalhy said....

Here's some coverage from the Canadian Press (via Yahoo!):

Alberta government forcing through changes on contentious info law - Yahoo! Canada News:

EDMONTON (CP) - Alberta's freedom of information law, once described by a journalism group as the most secretive in Canada, is about to get even more restrictive.

The Conservative government is pushing through changes this week to Alberta's Freedom of Information and Protection of Privacy Act to put a five-year blackout on briefing documents and other records that show how Premier Ralph Klein ran the province for more than a dozen years. "This Conservative government seems hell bent to ram through legislation this week to make Canada's most secretive government even more tight-lipped," Liberal Leader Kevin Taft said Monday in the legislature.

Taft accused the Tories of putting the interests of two dozen cabinet ministers ahead of three million Alberta residents.

But Klein said the Liberals are complaining because they won't be able to make political hay with cabinet briefing documents.

"There is no way that the opposition is going to get this briefing book," Klein, waving his notes in the air, told the legislature.

"They will use it for purely political purposes."

Klein's Conservatives are using their majority to limit further debate on Bill 20 as the spring sitting of the legislature winds down this week.

Klein has said cabinet briefings are sometimes brutally frank and sharing this anytime soon with the public might be embarrassing for his staff and other bureaucrats.

"There are some sensitive pieces of information that were put together by the administration," Klein told the assembly.

...

"Noxious! That's the word used by a top expert in government secrecy when asked to describe this government's Bill 20," said Taft, who was referring to Alasdair Roberts, a Canadian author and professor teaching at Syracuse University in New York state.

Frank Work, Alberta's information commissioner, has also criticized Bill 20, saying the restrictions are unnecessary, since most cabinet documents are already kept confidential for an infinite period.

...

Raj Pannu, information critic for the NDP, said Klein is trying to cover his tracks before retiring later this year.

Pannu said people need to remember that Tory leadership contender Lyle Oberg was fired from cabinet recently after saying he knew about the "skeletons" in the government's past.

"There are lots of skeletons in the closet for this government and they want to keep them in the closet for as long as they can," Pannu said Monday in an interview.

...

Doctors' billings in Nova Scotia is private information under FOIPOP

On Friday, the Nova Scotia Court of Appeal ruled that individual billings by physicians in the province should not be disclosed under the Freedom of Information and Protection of Privacy Act. The decision isn't online yet at www.courts.ns.ca or www.canlii.org, but I'll post a link when it's up.

In the meantime, here's some coverage from the Halifax Chronicle Herald:

The ChronicleHerald.ca:

Court keeps doctors’ payments secret

By JENNIFER STEWART Staff Reporter

Nova Scotia doctors will not be required to disclose to government their fees for services rendered, the Nova Scotia Court of Appeal ruled Friday.

In April, members of Doctors Nova Scotia appealed an earlier Supreme Court of Nova Scotia decision that ordered all physicians in the province to hand over any MSI fee-for-service billing records, with their names attached.

Joanna Redden of the NDP made the request in July 2004, claiming the information was pertinent to helping solve the province’s health-care crisis.

The doctors had no problem providing the financial information but said the inclusion of the physicians’ names was a gross invasion of privacy.

Justices Joel Fichaud, Thomas Cromwell and Linda Oland, who heard the appeal on April 5, agreed.

"The disclosure of the names of individual physicians would be an unreasonable invasion of the physician’s privacy," the decision says.

...

Questions to ask about smartcards

The Victoria (Australia) Privacy Commissioner has published a handy checklist of questions to ask about smartcards. Thanks to Open and Shut for the link.

PEI "at a crossroads" on privacy and access

It was reported last week that the Information and Privacy Commissioner of Prince Edward Island has temporarily taken leave due to stress. (See: CBC Prince Edward Island - Privacy commissioner takes sick leave and CBC Prince Edward Island - Minister surprised by overwork complaint) I didn't blog about it, principally because her health is her own business and shouldn't be the topic of public discussion. However, it has caused some discussion of real public interest on the role of the Information and Privacy Commissioner in that province and, particularly, the resources that should be devoted to the function.

Currently, the province's Commissioner is a part-time position, at 22.5 hours a week and with part-time administrative support. Her annual report, filed at the beginning of the month, outlines the backlog that her office is having to deal with.

Now today's Guardian has an editorial on the situation:

The Guardian: Province at crossroads on information

Either put more resources into the info commissioner’s office or tell the public to expect longer waits for information.

By The Guardian

Based on the recent report of P.E.I.’s information and privacy commissioner, government has two choices. It can lighten the demand on the office so that the current staff can handle it, or it can beef up resources so it can meet the targets set out in legislation.

If government has a genuine appreciation of the role of this newly created office, it should do the latter.

In her report to the legislature presented last week by Speaker Greg Deighan, Rebecca Wellner, part-time information and privacy commissioner, urged government to make the position of commissioner and her assistant full-time and increase their financial resources.

Why? The report identifies a growing backlog of incomplete files. In spite of the law requiring the office to process cases within 90 days of the date of filing, only three of 27 files that resulted in orders from the commissioner from 2003-2004 were dealt within the allotted time.

It appears the office is swamped with work and lacks the resources it needs to respond. If that’s the case, it’s unfair to the staff trying to get the job done, unfair to the parties who’ve filed requests with the office expecting they’ll get timely results, and it’s unfair to taxpayers who are paying for the service.

P.E.I. was one of the few provinces without access to information legislation until a few years ago when government finally adopted it. Suffice to say, it’s been a work in progress. Some of those who’ve used it say it’s costly and cumbersome, although these are seen as common problems that must simply be worked out.

In an era where voters are demanding more openness and accountability from their governments, this legislation is seen as a necessary tool to access public documents and information. It’s obvious that when the P.E.I. government created the office of the information and privacy commissioner, it attempted to ensure reasonable accessibility. Why else would it have put into law the requirement that cases be processed within 90 days?

However, the current staffing of the office doesn’t appear to be adequate to allow for this. Government must either revise the legislation and provide a longer period for case completion or address the staff inadequacies.

If government doesn’t want to render the office ineffective — and we assume that to be the case — it should follow Ms. Wellner’s recommendation and make the position of commissioner and her assistant full time. It’s the price we have to pay to ensure that our information and privacy legislation remains active and effective for Islanders.

Sunday, May 14, 2006

UK cable service to feed CCTV of public spaces to viewer's TVs

A TV service provider in London has rolled out a pilot project in which feeds from hundreds of "crime fighting" CCTV cameras are being rebroadcast for in-home viewing:

Telegraph | News | CCTV channel beamed to your home:

Shoreditch TV is an experiment in beaming live footage from the street into people's homes and promises to be every bit as fascinating as the courtship rituals of Celebrity Big Brother contestants Chantelle and Preston.

Viewers can watch the dog walkers on the street below, monitor the appearance of new graffiti and keep an eye on the local pub.

This summer 22,000 Londoners will be tuning in and homes across Britain are getting their own version next year. But despite being a curtain-twitcher's paradise, the channel is about 'fighting crime from the sofa', not entertainment.

In return for a package that includes footage from 12 security cameras, a police advice channel and an array of standard cable fare, the residents of Haberdasher Estate are expected to shop any yobs that they catch on camera.

Check out, also, the Slashdot discussion: Slashdot | London 2006, Meet London 1984.

Finding: Providing access to health information via individual's physician

In this recent complaint to the Privacy Commissioner, an individual objected to an insurance company's policy of providing access to medical information by giving it to the individual's physician, who would then provide the information to the individual. This practice is contemplated by Principle 4.9 in Schedule I to PIPEDA. The Commissioner found that the insurance company had not violated its obligations under PIPEDA in providing access in this manner.

See: Commissioner's Findings - PIPEDA Case Summary #322: Provision of medical information through physician challenged (December 22, 2005).

Finding: "Do not solicit" means "do not solicit"

In this recent finding, the Commissioner dealt with a complaint by a bank customer who had contacted his bank asking not to be marketed to but subsequently was contacted a number of times by his branch about products and services.

The bank informed the Commissioner that there are two circumstances where the customer may be contacted notwithstanding a "do not solicit" flag on his or her file: (a) in-branch generated sales leads and (b) leads developed by data mining but taking advantage of service-related communication opportunities such as GIC and mortgage renewals.

The Commissioner considered that the bank had not followed the consent principle 4.3 and determined the complaint to be well-founded and resolved.

See: Commissioner's Findings - PIPEDA Case Summary #323: Bank's assumptions about consent to marketing challenged (December 22, 2005).