Wednesday, January 10, 2007

CIPPIC calls for mandatory privacy breach notification

The Canadian Internet Policy and Public Interest Clinic has released a whitepaper calling for manadatory breach notification. Speficially, CIPPIC is calling for an amendment to PIPEDA:

Amend Principle 7 of PIPEDA to include a requirement to notify affected individuals of a security breach that results in the acquisition of unencrypted personal information by an unauthorized person. Such requirement should include specifics regarding the type of personal information and breach that triggers the obligation to notify, form and content of notices, timing of notices, who should be notified, etc. Failure to notify affected individuals as required under the Act should be subject to tough penalties.

Notification should be required when designated personal information has been, or is reasonably believed to have been, acquired by an unauthorized person. Good faith acquisition of personal information by an employee or agent of the agency for the purposes of the agency should not trigger the notification requirement, provided that the personal information is not used or subject to further unauthorized disclosure.

An "unauthorized person" means:

a) A person who is not an employee or agent of the person that maintains the designated personal information;

b) An employee or an agent of the person that maintains the designated personal information who

(i) exceeds his or her authority to access the designated personal information; or

(ii) uses the information for purposes not related to his or her duties.

"Designated personal information" is information, in electronic or paper form, which includes the first name, initial, or middle name, and last name, or address, in combination with any of the following data: government issued identification number including social insurance number, driver’s license number, or health card number; account numbers, credit or debit card numbers, or other unique identifiers issued by other organizations together with any security code, password or access code that would permit access to the individual's information. Information that is encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable by unauthorized persons does not constitute "designated personal information".

1 comment:

Anonymous said...

Does this go against Privacy Laws:
I experienced a something last night at Blockbusters on Lonsdale avenue that I have quite honestly never experienced before in my life. I have been working in the hospitality business and customer service all my life, and last night I saw the worst.

My Spouse and I decided to rent a couple of movies last night, and also drop off a few movies that we had recently purchased. They have that trade a movie for a $1.00. We arrived at the Blockbuster at about 10 pm, dropped off our old rentals, quickly picked up a new one and made our way to the Counter.

When at the counter, the girl gave asked us for a drivers license and our Blockbuster card. Which we did. She then asked my spouse what her height was. We asked why her height was important to rent a movie, she answered, it’s a new thing brought out by the RCMP, and was then told by the lady, “The RCMP know everything about you anyway” We certainly didn’t want to cause a scene, so we told her “5 feet 5 inches “
Especially when there was a few people behind us waiting for the counter.
Even though it was on the back of the Drivers License, she explained to us that she does not understand cm‘s. ( And I thought we lived in Canada where it was a metric system)
She then asked my spouse in front of all the customers what her weight was. I am sure that there are many woman out there that might be a little sensitive to tell half the store (customers and staff )their weight. My spouse being very sensitive about her weight, told the lady that she did not think it was appropriate to ask in front of everybody what her weight was. I then told the lady, it clearly states her weight at the back of her drivers license that she had been holding in her hand. The Lady told me that her weight on the Drivers license was in Kilo Grams (Kg’s) and she needed it in Lbs. I said, no problem, take the calculator on your desk , enter the kg’s and multiply it by 2.2

The Lady ( really rude) told us in front of everyone that she will stop serving us, as she needs the weight in Lbs. I asked her again to please do the calculation. She then told us that we are personally attacking her, and she walked away from the counter. Needless to say, we where very embarrassed and was then helped by what seemed to be the Manager. I tried explaining to her that it is not only against the law to ask something like that out load, due to our privacy act and it would have been simple to calculate the weight by multiplying it by 2.2 to get the Lbs. I was told that she was just doing her job.

Now, would it not have been a simple transaction to simply ask the customer to right her personal information on a piece of paper, or do the calculation? Do these people actually get trained in customer service. Anyway, I personally will never use block buster again.

What do you think.