Thursday, February 25, 2010

Alberta Privacy Commissioner tells retailer not to do routine credit checks of sales staff

The Information and Privacy Commissioner of Alberta has just ordered Marks' Work Wearhouse to stop carrying out routine credit checks on prospective employees in Investigation Report P2010-IR-001.

From the Commissioner's website:

February 23, 2010

Mark’s Work Wearhouse investigated under the Personal Information Protection Act

The Office of the Information and Privacy Commissioner has found that Mark’s Work Wearhouse (MWW) contravened the Personal Information Protection Act (PIPA) when the organization conducted pre-employment credit checks for its job applicants.

The complainant had applied for a job with MWW as a sales associate. During the complainant’s in-person interview with the organization he signed a declaration of understanding for a credit check. Shortly after the interview he was contacted by MWW and asked to explain his credit rating and how he was resolving his credit issue. The complainant explained to MWW that in the past an error in processing his paper work between the federal government and his bank concerning his student loans had occurred. Due to a lack of financial resources he could not resolve the matter.

The complainant was unsuccessful in obtaining the sales associate position with MWW. MWW advanced that the organization conducted a pre-employment credit check in regard to the complainant as the information provides an assessment of how job applicants will handle financial responsibilities and tasks with their employment duties as a sales associate; and it is an assessment of whether the job applicants have a probable risk of in-store theft or fraud. The investigator found that the personal credit information collected by MWW was not reasonably required to assess the complainant’s ability to perform the duties a sales associate, or to assess whether he might have a tendency towards committing in-store theft or fraud.

MWW agreed to cease the collection of personal credit information of sales associate applicants as part of its hiring process.

Some coverage: Canadian HR Reporter - Article View.

Tuesday, February 23, 2010

Saskatchewan Privacy Commissioner cuts services due to lack of funds

The Privacy Commissioner of Saskatchewan is reportedly having to scale back services after the provincial government nixed a request for additional resources to hire another investigator. Gary Dickson's office not only administers the public sector access and privacy law, but he has to deal with the health privacy law that covers public and private sector healthcare.

I'm not sure you can truly be independent of the government if you have to go begging to it for adequate funds.

Saskatchewan privacy commissioner cuts services citing lack of resources - Winnipeg Free Press

REGINA - Saskatchewan's privacy commissioner says his office is in crisis and is being forced to cut back services because of a lack of funding from the provincial government.

Gary Dickson says surging demand for service has overwhelmed his office and the current three investigators cannot sustain the caseload.

He says despite his plea, the government's Board of Internal Economy has denied a request for $129,000 to hire another investigator and set up office space for that person.

"I've said to the board when I appeared in front of them, and I used the word very consciously, our office is in a crisis in terms of being swamped with demands for service from the people who live in the province," Dickson said Monday.

"We just cannot possibly ... respond to that demand in any kind of reasonable time frame."

Dickson says the number of reviews and complaints is up by 113 per cent over last year. Requests for advice and inquiries from public bodies and health trustees are also up.

Some people have been waiting for more than three years for a resolution to their case file, he says. The three investigators currently have a caseload of 376 reviews and investigations.

"Something has to give," says Dickson.

"So what we've decided to do is try and be transparent to the people of the province in terms of how this is going to translate into waits and delays."

The commissioner says his office will send letters to everyone who requests an investigation or review alerting them that they should not expect any action on their file for approximately 12 to 18 months.

Dickson also says all public organizations should expect significant cutbacks and delays if they need consultation on a project.

The privacy commissioner's office oversees some 3,000 bodies including ministries, Crown corporations, boards, commissions, agencies, schools, regional health authorities, municipalities, universities, colleges and health trustees.

The commissioner says the decision by the board will diminish how accountable public bodies are to the people of Saskatchewan.

"Manitoba, with roughly the same population, would have six investigators. Newfoundland and Labrador I think has more than six investigators (and) half the population. They certainly don't oversee 3,000 public bodies and health trustees," says Dickson.

Saskatchewan Justice Minister Don Morgan, who sits on the board of internal economy, says the privacy commissioner's budget has been steadily rising since 2002. That can't continue during tough financial times, he says.

"We're in times of fiscal restraint and we're expecting all ministries, all government agencies to try and work within existing budgets wherever they can," says Morgan.

The province is trying to cope with a big hole in last year's budget when potash revenue fell $1.8 billion.

The Saskatchewan government will deliver its new budget March 24, but Premier Brad Wall has already warned there won't be big spending increases - in fact, cuts are in the works.

Morgan said there's no way of controlling how many complaints the privacy commissioner's office receives, but he wants to cut the number if possible.

"We would like to work with the privacy commissioner to find ways that we can reduce the backlog in their office and try and find some efficiencies by having more of the requests dealt with at the ministry levels rather than through his office," he says.

Friday, February 19, 2010

Don't tell the world where you aren't

There's a lot of power in social media, but many tweet or update their status withouth thinking about what they are telling the world. This issue is especially acute when it comes to location-based information. If you're telling the world you're at your local Starbucks, you're telling everyone that you're not at home. Burglars may be interested in that, if they can match your tweets with your home address. A new website, Please Rob Me, vividly illustrates the issue. See also: Please Rob Me Makes Foursquare Super Useful For Burglars.

Wednesday, February 17, 2010

Newfoundland court concludes Information and Privacy Commissioner may not review privilege claims

The Supreme Court of Newfoundland has released what I think is a very important decision under that province's access to information legislation. The dispute in Newfoundland and Labrador (Attorney General) v. Newfoundland and Labrador (Information and Privacy Commissioner), 2010 NLTD 31 (not yet on CanLII) centered around whether the Information and Privacy Commissioner has the authority to request and review documents that were alleged to be subject to solicitor-client privilege.

The relevant portion of the Act on which the Commissioner was relying provides:

52. (1) The commissioner has the powers, privileges and immunities that are or may be conferred on a commissioner under the Public Inquiries Act.

(2) The commissioner may require any record in the custody or under the control of a public body that the commissioner considers relevant to an investigation to be produced to the commissioner and may examine information in a record, including personal information.

(3) The head of a public body shall produce to the commissioner within 14 days a record or copy of a record required under this section, notwithstanding another Act or regulations or a privilege under the law of evidence.

The Court concluded that solicitor-client privilege, though it may have started as a rule of evidence, is a substantive right that it not interfered with by Section 52(1). This is consistent with Privacy Commissioner of Canada v. Blood Tribe Department of Health, 2008 SCC 44 (S.C.C.).

Justice Marshall wrote:

[90] Section 52(3) of the ATIPPA does not oblige the DOJ to provide the Commissioner with solicitor-client records. The language of section 52(3) does not capture solicitor-client privileged documents. Similarly, section 52(2) does not give the Commissioner power to demand solicitor-client records. The open-textured language of section 52(2) is to be read as not including solicitor-client documents (Blood Tribe). Similarly, a restrictive interpretation of section 52(3) dictates that describing privilege solely as a rule of evidence is not broad enough to capture solicitor-client privilege. While this finding is based on a restrictive interpretation, it is also consistent with the objects of the ATIPPA. The “mischief” has been remedied by the legislature which has given the Commissioner the power of review; but not the power to violate solicitor-client privilege which is a “fundamental civil and legal right”.

Monday, February 15, 2010

Bar watch program coming to Halifax

Following in the footsteps of British Columbia and Alberta, bar owners in Halifax are talking about rolling out a "Bar Watch" program. You can read about other programs here: id swiping.

What is particularly troubling or at the very least needs close scrutiny is the suggestion that the banned list is going to originate from the police. So far, I haven't seen what gives the police the right to decide who goes into licensed establishments and what criteria they will use. I haven't seen any detail about how it with be implemented and what information will be demanded from all bar patrons.

Stay tuned.

Bar owners see police role in managing ban (UNews)

The group spearheading a citywide bar-goer blacklist may rely on police to provide personal information of banned patrons, according to a spokesperson for the group.

"I'm assuming that the police would hand it over to us, I can't see why they wouldn't," said Richard Stevens of the Restaurant Association of Nova Scotia. "I'm fairly certain that that's the way it would go."

Stevens is a co-owner of the Pogue Fado Irish Public House, as well as chair of the association's government-affairs committee. That committee met Thursday with its partners in this project - the municipality, police and provincial liquor enforcement officials - and agreed in principle to proceed with the plan.

The Bar Watch program, as it's been dubbed, may begin as early as April, but there's a lot still up in the air. Though Stevens said he's just speculating at this point, maintaining a database of patrons barred from Halifax's drinking establishments would be key.

This list would likely contain "very basic biographical information about the person," such as name and address, he said. Some details of the incident that earned them their spot on the list may also be included, including names of witnesses and security staff involved.

The list would be maintained by the association, and only bar owners and general managers would be able to add people to it. Bar security would only see the names of banned patrons, not their full details.

"It would take a significant incident (to get on the list). This isn't anything that any of the owners take lightly," Stevens said.

"I'm assuming that probably 75 to 80 per cent of the people that end up getting barred, the police would probably end up getting involved anyway ... because it would be that serious."

Even if bar security have to restrain patrons involved in a fight or another serious incident, the bouncers have no right to search them for ID, he said.

"If they fail to provide identification, if and when they've been restrained after an incident, we'd call the police," he said. "The police would come and the police would get that information."

Stevens said he believes the police will provide the information necessary for the blacklist. Arrest records are public.

Police advising, but no word on further role

Halifax Regional Police spokesperson Cst. Brian Palmeter said the police's role "is to provide any guidance or assistance that they would ask from us."

"All that we're really saying about it is that we're aware the Restaurant Association has had some preliminary discussions about this ... We would support anything that any business would do to make it safer for their customers ... but as far as this goes, this is something that they're looking at doing. It's not a police matter."

At the time, Palmeter was not asked and did not comment on whether police would provide the association with personal information of patrons.

Stevens said the police have been advising the association on the administration of the program.

"They have a lot more experience with these programs than we do," he said. "They're guiding us along, providing advice, and they're going to stay by our side ... until we get this thing up and running."

Stevens said the police could be involved in this capacity for one to two years.

The next step in getting this program off the ground is a meeting with "the key stakeholders around HRM," which Stevens said he expects within the next two or three weeks.

"We'll target, with the help of the police force, 10 or 12 key establishments, contact the owners, and call them in for a meeting where we'll describe the program, its objectives, what we hope to accomplish, and ask them to get onboard."

Friday, February 12, 2010

Privacy Commissioner consultations on new technologies: a few thoughts

Over the last month, the Office of the Privacy Commissioner of Canada has launched two public consultations related to new and emerging technologies. The first, called for in January of this year, relates to "online tracking, profiling and targeting of consumers by marketers and other businesses." The second, which will focus on cloud computing, was announced yesterday. The consultations call for written submissions and will culminate with public events in Toronto, Montreal and Calgary.

It will be interesting to see what these consultations bring to the fore, particularly in light of the Commissioner's observation that PIPEDA has been "sorely tested" over the last decade and may need fortification for the next decade:

Speech: The Future of Privacy Regulation – February 10, 2010

"But what we can say for certain is that the regulatory framework we have in place now for the protection of privacy and personal information is already being sorely tested. We have bent and stretched it in many different ways.

And, if we don’t want it to snap, we need to figure out how to fortify it for the decade ahead.

For that, we need to look at our privacy laws and administrative structures. We need to dramatically modernize the Privacy Act, which governs the public sector, and to consider whether PIPEDA, the private-sector Personal Information Protection and Electronic Documents Act, remains suited for the next 10 years.

But we cannot function in isolation. We need to examine what’s happening in other jurisdictions, and work with them on common approaches to the challenges we all share."

PIPEDA, for all its weirdness as a statute, is in my view surprisingly resilient. It is because it is based on flexible principles rather than prescriptive rules that it can accommodate various industries and new technologies. The defects that were there on day one are generally still there, but its technological neutrality was well drafted and has withstood the test of time.

For example, it is firmly based on the idea of reasonableness, notice and consent. Provided the purposes are reasonable, there is notice and consent it obtained, the law fits and will work. This is regardless of whether the information is collected online, in person or via stone tablets. It works if the information is directly indentifiable to the individual (name), can lead to the identification of the individual (other identifier) or relates to some characteristic of the individual (house price). The exceptions to the law, such as journalistic collections of information, are generally reasonable and in fact necessary in light of the Charter of Rights and Freedoms.

Perhaps some guidance is useful. For example, it would help to have some consensus on best practices for notices to individuals related to the use of persisent cookies or when information will potentially cross borders. But ultimately all of these are within the domain of a judge interpreting the statute, who will have a pretty robust, principled, technologically neutral lens to look through.

Those are just my thoughts ... it will be interesting to see what the participants have to say.