Monday, January 31, 2011

Avoid ATM skimmers, use a hotel key card instead

Bank card skimmers and scammers are a pretty resourceful bunch. While people are becoming increasingly vigilant about skimming hardware being covertly added to bank machines, they may not be aware of skimmers being added to card readers that are used for after-hours access to ATMs in bank lobbies. (See: ATM skimmer that doesn't require any modifications to the ATM - Boing Boing.)

This may not be general knowledge, but most of these card readers don't validate the card but just check for a magnetic stripe.

To avoid having your card skimmed at the doorway, you can often use any card with a mag-stripe, such as an old hotel key card, a gift card or your library card. Next time you're at an ATM, give it a try.

Monday, January 17, 2011

Nova Scotia review officer considers investigation of WCB over misdirected file

Last week, the Halifax Chronicle Herald reported that the provincial Workers' Compensation Board mistakenly sent the wrong person's file to an individual who was contesting his claim under the program.

It looks like it was a one-off error:

WCB sends wrong file to man - Metro -

.... MacLean insists the board does not often mix up its clients and she can’t remember the last time a file was mailed out in error.

"Our employees all go through (Freedom of Information and Protection of Privacy Act) and privacy breach training and we take this all very seriously."

And they have procedures to follow if something does go awry.

To help avoid personal information falling into a stranger’s hands, she said the envelope is stamped with a warning message that asks the recipient to alert the board if the received the envelope in error. It also asks the recipient not to open or destroy its contents.

However, she admitted, she didn’t know how anyone could tell if the file wasn’t theirs without first opening the envelope and reading the contents.

The board is mailing Kinsman his correct file, MacLean said.

Today the paper is reporting that the newly established Privacy Review Officer is considering an investigation: Privacy watchdog mulls probe of WCB - Front -

I'm not sure that this error indicates any sort of a systemic problem, but I expect we'll hear more about it in the future.

Personal Health Information Act for Researchers

I was invited to give a presentation to staff and physicians at the IWK Health Centre in Halifax on the impact of the new Personal Health Information Act on researchers and research activities.

For anyone who may be interested, here is a copy of the presentation:

(If the embedding above is not working for you, this link should take you to the presentation:

Saturday, January 15, 2011

Investigating and Preventing Criminal Electronic Communications Act bill one step closer to (warrantless) surveillance state

Want to know one reason why the Canadian government's proposed Bill C-52, referred to as the Investigating and Preventing Criminal Electronic Communications Act, is so horrible? Just look at what recently happened in Belarus. According to Boing Boing (Report: Belarusian mobile operators gave police list of demonstrators - Boing Boing), mobile operators in that country have cooperated with the secret police to identify people who were present at an anti-government demonstration. Shocking.

Bill C-52 gives the same tools to the Canadian secret and not-quite-secret police. Section 16 of Bill C-52 requires all telecommunciations service providers to hand over enormous quantities of customer information to the police, CSIS or the competition cops. There is no limit on the amount of information to be provided and is only restricted to "duties" of the cops or intelligence agency. In addition, the law just says that the following information has to be provided:

  • name,
  • address,
  • telephone number,
  • electronic mail address,
  • Internet protocol address,
  • mobile identification number,
  • electronic serial number,
  • local service provider identifier,
  • international mobile equipment identity number,
  • international mobile subscriber identity number and
  • subscriber identity module card number.

Usually, the cops say they need help chasing down a customer name and address when they have an IP address, but the bill doesn't say that if the cops have X info, they can get Y subscriber data. Instead, it just says on request the telco has to hand over the entire laundry list of data on customers. And this is without a warrant or any sworn justification of any kind. Unlike wiretap laws where stats have to be released, there is no obligation on the part of the police or the ministers responsible to release information about how these powers are used and under what circumstances.

If the police are able to scan the airwaves at a protest and pick out the IMEIs of all the phones present, telcos would have to hand over a list of all the names, addresses, etc of their customers upon request. I can't really see a limitation in the statute that would prevent the police from asking for all the above data for any subscribers who connected, for example, to any cell site in a particular neighbourhood at a particular time. How handy would that be to track down everyone who was present near the G-20 protests in Toronto.

If we're shocked at what repressive regimes are doing to their citizens, we shouldn't be giving our own governments tools to be repressive.

(The good news, if there is any, is that the Bill was introduced on November 1, 2010 and doesn't seem to be going anywhere fast. But don't count it out yet.)

Friday, January 14, 2011

Your smartphone could be your most dangerous possession, so secure it

After a decision out of California which found that police are able to rummage through all your portable electronics incident to arrest, much attention has been focused on how much data people carry around with in their portable electronics. CNN Money is running a story with the descriptive title: Your smartphone could be your most dangerous possession.

I've brought this up a number of times in presentations about border searches, where customs agents have always had the right to go through all your stuff you're carrying but what's different now is that people are carrying around the equivalent of their personal files, their scrapbooks and their correspondence in a small package.

The threat isn't just customs agents and police, but also the fact that people lose these devices all the time. People need to be mindful of this fact and take steps to either limit what they have on their devices or take steps to make it inaccessible to others. For some useful pointers on how to do so on most smartphones, check out LifeHacker's How to Secure Your Smartphone.

Thursday, January 13, 2011

Arizona hospital fires employees for snooping on records of shooting victims

Various media outlets are reporting that the Tucson University Medical Center has fired a number of employees for inappropriate accessing medical records of people involved in the shooting in Arizona that left Rep Gabrielle Giffords gravely injured and six dead. See: 3 UMC workers fired for invading records.

This is an example of how important it is to have auditability in your records system because curiosity often leads to employees overstepping established boundaries.

Tuesday, January 11, 2011

Profile of Quebec's new access and privacy commissioner

Quebec's new access and privacy commissioner, Jean Chartier, is profiled in the Montreal Gazette:

New privacy commissioner to focus on greater access

QUEBEC — Greater access to government information and a preventive approach in privacy protection will be the focus of Jean Chartier, sworn in Tuesday as the province’s new access and privacy commissioner.

“I am personally in favour of access,” Chartier said at his first news conference, noting that the commission must produce a five-year report by June and he intends to make recommendations about more “open government.”

Like Ontario and other provinces, Quebec’s access commissioner is also its privacy commissioner.

Chartier said he wants to introduce a “preventive” approach, informing people they are not obliged to divulge extensive private information just to join a video club, for online shopping or to join a social network.

The same goes for Google Street, the online service that shows pictures of your street.

“This is your personal information,” he said. “You should protect it.”

Chartier replaced Jacques Saint-Laurent, who was a lower-profile access and privacy commission in comparison with Jennifer Stoddart, who filed the Quebec position before she was named Canada’s privacy commissioner in 2003.

Chartier said his “personal colour” would influence the direction of the commission.

Chartier was named a member of the access and privacy commission in 2006, ruling on access to information appeals.

Saint-Laurent was voted unanimously by the Quebec National Assembly as the assembly’s first ethics commissioner in December, when the assembly named Chartier to succeed Saint-Laurent.

The new commissioner said that in its rulings, the commission is bound to respect the access and privacy laws as they are written, otherwise its decisions can be challenged in the courts,

“My position has always been the same in the decisions I have made in the last five years and it will be the same: if access is possible, I will give access to the document,” he said.

In Ontario, the salaries of all public-sector employees making $100,000 or more are published by the province each year on a website. In Quebec, the access law only covers the salaries of senior public-sector managers.

“These salaries are paid from public funds,” Chartier said. “Is there any reason why they should not be disclosed?”

Tuesday, January 04, 2011

Privacy year in review (2010): Caselaw

This is the second in multi-part series of postings looking back at the year 2010 in privacy in Canada. (For an overview of legislative changes, see: Canadian Privacy Law Blog: Privacy year in review (2010): Legislation.)

Court Cases

State Farm Mutual Automobile Insurance v Office of the Privacy Commissioner, 2010 FC 736

This case arose out of a series of complaints brought by one plaintiff’s counsel in New Brunswick against a number of insurers. In this particular case, the plaintiff in a motor vehicle accident lawsuit demanded access to all of the personal information held by insurer, including documents said to be privileged. The insurer had already, as part of the litigation discovery process, provided all non-privileged documents to the plaintiff. Nevertheless, the plaintiff complained to the Office of the Privacy Commissioner of Canada.

When the OPC came knocking, the insurer (through its counsel – yours truly) said it had provided all relevant information but in any event, the OPC was without jurisdiction to investigate and to demand further documents. The basis of this argument was that the information was not collected, used or disclosed in the course of commercial activity, which is the basis for jurisdiction under PIPEDA.

The OPC never issued a finding in this file, but the Commissioner’s investigator did say that the OPC had concluded that she had jurisdiction.

The insurer said that New Brunswick courts had jurisdiction over matters of New Brunswick litigation, which began an odyssey through the New Brunswick courts until the Court of Appeal said it belonged in the Federal Court. A subsequent hearing and decision in the Federal Court found that the Insurer is an agent for the insured and was not engaged in commercial activity when defending its insured.

In particular, the Court said:

I conclude that, on a proper construction of PIPEDA, if the primary activity or conduct at hand, in this case the collection of evidence on a plaintiff by an individual defendant in order to mount a defence to a civil tort action, is not a commercial activity contemplated by PIPEDA, then that activity or conduct remains exempt from PIPEDA even if third parties are retained by an individual to carry out that activity or conduct on his or her behalf. The primary characterization of the activity or conduct under PIPEDA is thus the dominant factor in assessing the commercial character of that activity or conduct under PIPEDA, not the incidental relationship between the one who seeks to carry out the activity or conduct and third parties. In this case, the insurer-insured and attorney-client relationships are simply incidental to the primary non-commercial activity or conduct at issue, namely the collection of evidence by the defendant Ms. Vetter in order to defend herself in the civil tort action brought against her by Mr. Gaudet.

Since this case, the OPC has changed how it deals with access claims that raise privilege claims during litigation so that it declines to investigate, leaving it to the court where the matter is seized to determine privilege claims.

See, for example, PIPEDA Case Summary #2010-001: Commissioner does not issue report to individual seeking access to her personal information being withheld for reasons of solicitor-client privilege.

Privacy Commissioner of Canada v. Air Canada, 2010 FC 429

This case, handed down in April 2010, was another fight over privileged information. An applicant sought access to documents that Air Canada claimed to be privileged. The Commissioner demanded that Air Canada provide an affidavit setting out the basis for the privilege claims, which the company refused to do. It maintained that the information it has provided in previous correspondence was sufficient.

The Federal Court concluded that the Commissioner cannot require evidence to substantiate privilege claims:

[55]           I see nothing in PIPEDA which would require Air Canada to disclose discoverable facts which are contained in a privileged document, other than in court proceedings. These facts were put at the disposal of its solicitors for legal advice. Indeed, Blank, above, is instructive. The Access to Information Act also denies production of privileged documents. That being said, section 49 provides that the Court may, nevertheless, order the production of the record or part thereof. The Motions Judge, in a judgment reported at [2000] F.C.J. No. 1147 (QL), ordered that some facts be severed from privileged documents and be made available to the applicant. The Crown did not appeal. In Mr. Blank’s appeal, Madam Justice Sharlow went out of her way to state at paragraph 22:
The instances in which partial disclosure was ordered fall into two categories. In one category, disclosure was ordered of certain statements in the communication that were purely factual. It is arguable that those factual statements should not have been ordered disclosed because in each case they are inextricably linked to the legal issue under discussion that they ought to be treated as part of the privileged communication. To that extent, there may have been over-disclosure of some privileged documents. However, as the Minister has not cross-appealed, the order of the Judge will not be varied on that account.

Randall v. Nubodys Fitness Centres, 2010 FC 681

This case arose because of a disclosure of the applicant’s personal information by a health club to the applicant’s employer. The employer subsidised gym memberships and the gym disclosed to the employer how often employees visited the gym.

The applicant complained to the Privacy Commissioner and then took the matter to the Federal Court, seeking $85,000 damages.

The Court found that the disclosure was minimal and caused no injury:

 [55] Pursuant to section 16 of the PIPEDA, an award of damages is not be made lightly. Such an award should only be made in the most egregious situations. I do not find the instant case to be an egregious situation.

[56] Damages are awarded where the breach has been one of a very serious and violating nature such as video-taping and phone-line tapping, for example, which are not comparable to the breach in the case at bar: Malcolm v. Fleming (B.C.S.C.), Nanaimo Registry No. S17603, [2000] B.C.J. No. 2400; Srivastava c. Hindu Mission of Canada (Qu├ębec) Inc. (Q.C.A.), 2001 CanLII 27966 (QC C.A.), [2001] R.J.Q. 1111, [2001] J.Q. no 1913.

[57] While the applicant asserts that he suffered damages in “retaliation” by his employer in the form of being subject to commentary in the workplace regarding his gym usage; the only employee to have to work extended hours on one occasion; reassignment to a different workstation; and fearing the loss of his job, I am not convinced that any of this is attributable to the actions of the respondent or that the respondent conducted itself in a high-handed manner towards the applicant nor did the respondent clearly cause the “injury” to the applicant which he alleges.

[58] I am of the view that the alleged breach of the PIPEDA was the result of an unfortunate misunderstanding on the part of the respondent with respect to the question of consent by subscribers to its corporate membership program which has now been resolved. I do not find that the breach was the result of any sort of malicious behaviour on the part of the respondent: Hill v. Church of Scientology of Toronto, 1995 CanLII 59 (S.C.C.), [1995] 2 S.C.R. 1130, [1995] S.C.J. No. 64, at para. 196, that would justify the award of damages, let alone aggravated or punitive damages, for the respondent’s conduct.

Stevens v. SNF Maritime Metal Inc., 2010 FC 1137

In this case, the applicant had apparently defrauded his employer. Another company, who was a party to the applicant’s conduct, disclosed information about the applicant’s actions to his employer. The employee was terminated and claimed damages against the other company for the resulting loss.

Court saw this as an end-run around any claims he might have against his employer and noted that damages are only available for breach of privacy, not for a case such as this:

[27] PIPEDA’s s. 14 right and s. 16 remedy is not a substitute for matters which are truly claims for wrongful dismissal. The Court must examine the real nature of the remedy claimed. Such claims as humiliation, loss of community support, diminution of standings and loss of income flowing therefrom (to name but a few) caused by breach of the Act fall within the statutory cause of action created by the Act. Claims for loss of income and similar loss due to termination of employment not caused by breach of the Act, do not.

[28] The source of the Applicant’s complaint is the loss of his employment. He even claims for loss due to loss of a second job. But all of his loss claimed is tied directly to his termination for cause. While the termination might not have occurred if there had not been disclosure, the nexus to the claimed loss is termination of employment for which Stevens had, but gave up, the right to claim was unlawful.

[29] The PIPEDA right of action is not an end run on existing rights to damages. It is a right to a different type of damages claim – breach of the right to privacy.

[30] The Applicant’s claim, in excess of $148,000, is out of proportion to the privacy invaded. The information disclosed was not deeply personal or intimate. It was commercial and the type of information frequently spoken about in a social context.

Arcand v. Abiwin Co-operative Inc., 2010 FC 529

A general release signed to settle litigation also is a bar to a proceeding for damages under PIPEDA in the Federal Court related to matters raised in the litigation.

Nammo v. Transunion of Canada Inc., 2010 FC 1284

In this case, the self-represented applicant alleged that the credit bureau had violated the accuracy principle of PIPEDA and sought damages related to having been wrongfully denied a loan due to erroneous information in his credit file.

The court awarded $5000 in damages after considering the principles to be applied by the court in awarding damages under the statute.

[71] As indicated, PIPEDA provides the Court broad remedial powers and, in my view, s. 16 of PIPEDA permits the Court, in an appropriate case, to award damages even when no actual financial loss has been proven. In Randall v Nubodys Fitness Centres, 2010 FC 681, Justice Mosley found that an award of damages under s. 16 is not to be made lightly and that such an award should only be made “in the most egregious situations.” This is such a situation. In Randall, which involved the disclosure of how often the applicant used his gym membership to his former employer, Justice Mosley determined that the impugned disclosure of personal information was “minimal,” that there had been no injury to the applicant sufficient to justify an award of damages, that the respondent did not benefit commercially from the breach of PIPEDA, that the respondent did not act in bad faith, and, perhaps most importantly, that there was no link between the disclosure and the employer’s alleged retaliation against the applicant. The same cannot be said here. Not only was the disclosure of inaccurate information directly linked to the refusal of the loan and the associated injury to the applicant, but the respondent also profited from the disclosure and acted in bad faith in failing to take responsibility for its error and failing to rectify the problem in a timely manner. The violation of Mr. Nammo’s rights under PIPEDA was not “the result of an unfortunate misunderstanding,” as was the case in Randall. It was a serious breach involving financial information of high personal and professional importance. The fact that there is no precedent for an award of damages under PIPEDA should not impact the Court from making an award of damages where the circumstances and justice demands it. In my view, for the reasons that follow, this is such a case.


[74] The Supreme Court found that “to be ‘appropriate and just’, an award of damages must represent a meaningful response to the seriousness of the breach and the objectives of compensation, upholding Charter values, and deterring future breaches.” In my view, the same reasoning applies to a breach of PIPEDA, which is quasi-constitutional legislation.

[75] In Lavigne v Canada (Office of the Commissioner of Official Languages), 2002 SCC 53, the Supreme Court held that the Privacy Act, R.S.C.1985, c. P-21, was quasi-constitutional legislation that must be interpreted with its special purposes in mind. In Eastmond v Canadian Pacific Railway, 2004 FC 852, at para. 100, Justice Lemieux confirmed that PIPEDA also enjoys quasi-constitutional status:

I have no hesitation in classifying PIPEDA as a fundamental law of Canada just as the Supreme Court of Canada ruled the federal Privacy Act enjoyed quasi-constitutional status (see Justice Gonthier's reasons for judgment in Lavigne v. Canada (Office of the Commissioner of Official Languages, [2002] 2 S.C.R. 773 at paragraphs 24 and 25).

[76] Applying the Supreme Court’s reasoning in Ward to PIPEDA applications before this Court indicates that both the question of whether damages should be awarded and the question of the quantum of damages should be answered with regard to whether awarding damages would further the general objects of PIPEDA and uphold the values it embodies. Furthermore, deterring future breaches and the seriousness or egregiousness of the breach would be factors to consider.

[77] One of the central objects of PIPEDA is to encourage those who collect, use and disclose personal information to do so with a degree of accuracy appropriate to the use to which the information is to be put and to correct errors quickly and effectively. I have found that TransUnion failed to collect accurate information on the applicant. Further, when apprised of its error, it failed to address the complaint quickly and effectively. It further failed to quickly and effectively correct the inaccurate information it had disseminated. Lastly, it failed to take responsibility for its error, first blaming CBV, and then in this action attempting to attribute some blame to the applicant. In my judgment, these are circumstances that warrant an award of damages based on the considerations of vindication and deterrence.

R. v. Gomboc, 2010 SCC 55

Police, without a warrant, obtained information about electricity consumption from a utility company and used that info to get a search warrant.

The Court considered that Alberta's Electrical Utilities Act and related Code of Conduct Regulation would have given the homeowner the ability to keep electricity consumption information confidential, but the homeowner did not opt out. The Court also noted that the utility was not a disinterested third party because the circumvention of the electricity meter meant that it was also being defrauded by the illegal consumption of electricity.

In the result, the Court concluded that the above factors combined with the specific language in the electricity services contract led to reduced expectation of privacy. The Information was not collected contrary to the Charter and was admissible.

Monday, January 03, 2011

Privacy year in review (2010): Legislation

This is the first in multi-part series of postings looking back at the year 2010 in privacy in Canada.


Bill 89: Personal Health Information Act (NS)

The Nova Scotia government finally re-introduced the Personal Health Information Act in the fall of 2010, but it's still working its way through the provincial legislature. Hopefully, it will not be long before Nova Scotia joins New Brunswick and Newfoundland and Ontario with third-generation health privacy laws. It should be noted, while we're thinking about the year that was, that both New Brunswick's Personal Health Information Privacy and Access Act and Newfoundland's Personal Health Information Act came into force this past year.

All of these are designed to be substantially similar to PIPEDA so that PIPEDA would cease to apply to most health information in the relevant provinces. None of them have yet been so-declared, though.

PIPEDA Revisions

The LONG awaited result of PIPEDA’s  so-called five year review was introduced on May 25, 2010 as Bill C-29 and has yet to get to second reading. Unless there’s an election (and who knows about that ...) here are the main features:

Business Contact Information

The first significant change is the exclusion of “Business Contact Information” from the purview of the statute. "Business Contact Information" refers to an individual’s name, position name or title, work contact details (including e-mail address) and any similar information of the individual so that, in the new Section 4.01, business contact information is excluded from the provisions of PIPEDA if business contact information is collected, used or disclosed solely for the purpose of communicating with the individual in relation to their work.

Valid Consent

Bill C-29 raises the bar, or at least clarified, what is necessary to get consent from an individual. Section 6.1, entitled “Valid Consent” clarifies that the consent that is required under Principle 3 of the CSA Model Code is only valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting. This likely raises the bar on what is valid consent.

Witness Statements and Work Product

In Section 7, which allows the collection, use or disclosure of personal information without consent a number of changes have been added to permit the collection, use and disclosure of information in witness statements where it is necessary to assess, process or settle an insurance claim. In addition, information produced by individuals in the course of their employment is exempt from the consent requirements provided that the collection, use and disclosure are consistent with the purposes for which the information was produced. This particular exemption codifies what is often referred to as “work product” exception to consent.

Lawful Authority

Also in Section 7, the government has attempted to clarify what has been a very confusing provision regarding disclosures to law enforcement. Section 7(3)(c.1) permits the disclosure to government institutions and law enforcement where the government body has identified its “lawful authority” to obtain the information. The meaning of "lawful authority" has been very problematic since the first version of PIPEDA, with interpretations ranging from legal authority to compel or just part of a lawful process. Though I have strong opinions on what it should mean, I was looking for clarification on what Parliament thinks it means. I was disappointed. Lawful authority is "defined" in the new Section 7(3)(c.1):

(3.1) For greater certainty, for the purpose of paragraph (3)(c.1)
(a) lawful authority refers to lawful authority other than
(i) a subpoena or warrant issued, or an order made, by a court, person or body with jurisdiction to compel the production of information, or

(ii) rules of court relating to the production of records; and

(b) the organization that discloses the personal information is not required to verify the validity of the lawful authority identified by the government institution or the part of a government institution.

Also in Section 7(3)(c.1), the government has added to the circumstances where information could be disclosed without consent, provided there is lawful authority of course, for the purpose of performing policing services that are not otherwise referred to in Section 7(3)(c.1). Sub paragraph (iv) permits a disclosure for the purpose of notifying next of kin of an injured, ill or deceased individual.

Gag Order

A notable addition to PIPEDA is a “gag order” that prohibits an organization from notifying an individual that information has been requested or obtained by a government institution or part of a government institution under a range of provisions contained in Section 7(3). Before it notifies the individual, it has to notify the government institution and get their OK. If the government institution vetoes the disclosure, the organization is not allowed to notify the individual but is required to notify the Privacy Commissioner.

This above provision supplements what had previously been the case where an individual had made a request for access to their own personal information or an account of its collection, use or disclosure where that personal information had been the subject of a government request.

Removing Investigative Bodies

Notably, these amendments have completely done away with investigative bodies. It used to be that under Section 7(3), an organization could disclose personal information to designated investigative bodies for the purposes of investigations. Investigative bodies included the Insurance Fraud Bureau of Canada, most Barristers’ Societies and other professional regulators. Instead, the new Section 7(3)(d.1) permits disclosures to another organization where that disclosure is necessary to investigate a breach of an agreement or a violation of the laws of Canada or Province or is necessary to prevent, detect or suppress fraud where it would be reasonable to expect the disclosure with the knowledge or consent of the individual would undermine the ability to prevent, detect or suppress the fraud. Subsection (d.2) allows disclosures to government institutions or next of kin related to “financial abuse”. Finally, Subsection (d.3) further permits disclosures for notifying the next of kin of injured, ill or deceased individuals.

Business Transactions

The new Section 7.1 permits disclosures and uses of information in connection with a “prospective business transaction”. This term is defined to include a range of transactions, including purchase or sale of a business, mergers and amalgamations, financings, leasings, and joint ventures. This section 7.1, parties to a perspective business transaction can use and disclose personal information without the knowledge or consent of the individual if they have entered into an agreement that requires the recipient to use the information and disclose it solely for the purposes related to the transaction, to protect that information with appropriate safe guard and, if the transaction does not proceed, to return or destroy the information within a reasonable period of time.

It is also a condition that personal information be necessary to determine whether to proceed with the transaction and is necessary to complete the transaction. Once the transaction is completed, Subsection (2) permits the parties to the transaction to use and disclose the personal information without consent, provided they have entered into an agreement that requires them to reach only used information for the purposes for which it was originally collected, to protect that information and to give effect any withdrawal with consent as is already provided for under Principle 3 of the CSA Model Code. It is an overriding condition that the personal information be necessary for carrying on the business or the activity that was the object of the transaction and that the individuals are notified within a reasonable time after the transaction has completed of the transaction and that their personal information has been disclosed.

This provision that permits the use and disclosure of personal information for business transactions does not apply to business transactions where the primary purpose or result is the purchase, sale or other acquisition of personal information.

Employee Personal Information

The new Section 7.2 will mark a significant change in how PIPEDA applies to employees of federal works, undertakings and businesses. No longer is consent of the individual required to collect use and disclose employee personal information if that collection use or disclosure is necessary to establish, manage, or terminate the employment relationship, provided that the employer has notified the individual that the personal information will be or may be collected, user disclosed for these purposes.

Breach Notification - Notification of the Commissioner

Perhaps the most notable addition to PIPEDA in Bill C-29 is the addition of Division 1.1, which deals with breaches of security safe guards. The new section 10.1 requires an organization to report to the Privacy Commissioner any “material breach” of security safeguards. Whether the breach is material depends upon the sensitivity of the information, the number of individuals whose personal information was compromised and an assessment by the organization whether the cause of the breach or a pattern of breaches indicates a systematic problem. The form of the notice will be set out in the regulations. The Commissioner has no power to require the organization to notify individuals, nor does she have any power to seek a remedy on behalf of affected individuals unless they themselves complain.

Breach Notification - Notification of the Individual

The new Section 10.2 deals with notification to the individual, which is mandatory if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual. Section 10.2(2) defines significant harm to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. Subsection (3) then goes on to provide guidance on whether there is a “real risk”, which is based on the sensitivity of the information and the probability that the personal information has been, is being or will be misused. The notification has to contain enough information to allow the individual to understand the significance of the breach to them and to take steps to mitigate that harm. Notice has to be given as soon as feasible after the organization confirms the occurrence of the breach and concludes that they are required to give notice occasionally under Section 10.2(1). The form and manner of notice may be prescribed in regulations, which I anticipate will allow for notice to large groups of people though the mass media where it is not feasible to give individual notice.

This new Section 10.3 allows organizations to give breach notification to other organizations that will help to reduce the risk of harm that could result from the breach or to mitigate that harm.

Bill C-28, Fighting Internet and Wireless Spam Act or FISA

After what has been a very, very long process, 2010 finally saw the passage of Canada’s attempt to grapple with unsolicited commercial e-mail through Bill C-28, Fighting Internet and Wireless Spam Act. The bill, in various forms, had been previously introduced and fell off the order paper.

Here are some of the highlights:

  • General prohibition against sending unsolicited commercial email messages unless you have the explicit or the implicit consent of the individual. Similar to the National Do Not Call List, implicit consent is found if there is a existing business relationship or if you can clearly imply the individual recipient’s consent based on a number of factors, such as a person making a business e-mail address generally available without anything in the context making it clear that unsolicited messages are not welcome.
  • The statute also deals with malware, spyware and rootkits, with a prohibition against installing such software without the consent of the individual.
  • It is an offense to send e-mail messages with a misleading subject line or with faked sender information.
  • The statute includes a private right of action and significant “administrative monetary penalties” for non-compliance.

The statute is quite odd in a number of respects, particularly because enforcement is not in the hands of one regulator but is divided among three. The Privacy Commissioner has jurisdiction over the electronic collection of e-mail addresses for solicitation lists and dealings with those lists. The Competition Bureau deals with misleading commercial solicitations and the Canadian Radio-television and Telecommunications Commission (aka CRTC) deals with the rest of it, including the ability to levy the controversial administrative monetary penalties.

Though it has been passed by both houses of parliament and has received Royal Assent, its not yet clear when it will be proclaimed into force by the Government.

Overall, the Act is good news but don’t expect your spam filter to become obsolete.

Here’s the Parliamentary Library Summary:

Stay tuned for the next installment dealing with significant caselaw and significant findings.