Saturday, October 27, 2012

Despite police chiefs' representations, lawful access is irretrievably broken

If you’re a regular reader of this blog, you’ll know that I’m not a fan of Bill C-30. At all. My most acute concern relates to warrantless access to the names and addresses of customers of telecommunications service providers. Reviewing the very interesting and thought-provoking materials of the Canadian Association of Chiefs of Police hasn’t changed my mind.

This opposition isn’t based on the shameful way the bill was introduced (“you’re either with us or with the child predators”), but based on the premise that the police should not be able to require anybody to provide information about an individual in the absence of reasonable grounds to believe that the information either is or will lead to evidence of a crime that has been, is being or will be committed, and the appropriate checks and balances.

In my view, the only way to provide the checks and balances is to have an impartial party make the determination of whether individual privacy rights need to give way to the public interest in preventing and investigating crime. The police clearly have a job to do, but they are not in a position to appropriately balance these interests. Only an impartial judge can.

As for the suggestion that there really isn’t a privacy interest in customer name and address, I disagree. (Notwithstanding some recent caselaw on this point.) When the police are legitimately looking for a customer name and address to attach to an IP address, it is not being done in a vacuum. The police already have collected evidence (presumably of a crime) and are looking to connect that to a person. People have a reasonable expectation of privacy in what they do in their day-to-day lives online and it should be up to a judge to determine whether that connection can be made.

The Criminal Code already contains all the tools necessary to deal with this. For example, under Section 487.012, the police can obtain a production order against an internet service provider to hand over customer name and address information if they can satisfy the judge of the following:

(3) Before making an order, the justice or judge must be satisfied, on the basis of an ex parte application containing information on oath in writing, that there are reasonable grounds to believe that
(a) an offence against this Act or any other Act of Parliament has been or is suspected to have been committed;
(b) the documents or data will afford evidence respecting the commission of the offence; and
(c) the person who is subject to the order has possession or control of the documents or data.

It’s only that the order must lead to evidence. Not the smoking gun or as a last resort. Just some evidence. It’s a very low threshold. This would be applicable in cases of child pornography, exploitation, threats, extortion, kidnapping, a rapist who left his phone at the scene and just about every other case cited by the Canadian Association of Chiefs of Police. It’s not an onerous burden.

The officer should appear in front of a judge with a sworn affidavit that sets out the the evidence that an unnamed person using IP address X.X.X.X is engaged in [bad act] and we have reason to believe that the IP address is allocated to [internet service provider]. If the judge thinks that’s sufficient, a production order should be issued.

To put it very simply, if the police cannot convince a judge that the connection should be made, they should not be able to obtain it. If you can’t convince a judge that it will lead to evidence of a crime, the cops should go back to the drawing board.

The main problem pointed to by the proponents of the Bill is that it takes too much effort or too long to get a warrant that requires an internet service provider to hand over customer name and address information that corresponds with an IP address. If that is really the problem they are trying to address, it would be best to address it by making the warrant-seeking process more efficient. Warrantless requests should be left to circumstances where there is a real emergency.

As currently written in Bill C-30, there is effectively no limitation on the circumstances under which police can seek this information. It can be for a parking ticket or some other trivial contravention of the law. The examples the police give are all serious crimes, but C-30 isn’t restricted in that way. (I think the threshold for all production orders should be strengthened to limit the use of these powers to (a) the investigation of serious crimes only under the Criminal Code, the Narcotics Control Act, the Canadian Security Intelligence Service Act and the National Defence Act where there are reasonable and probable grounds to believe that the information is necessary for the investigation of a crime that has occurred or is likely to occur, or (b) where the subscriber about whom the information relates is reasonably believed to be a victim of the crime or whose life or safety is in imminent jeopardy, and the victim’s identity is unknown.)

The second protection should be transparency, in two parts. First, the Attorney General should have to table in Parliament an annual report setting out in detail the number of applications made, the number of investigations they relate to, the offences alleged to have been committed and whether the order was granted. Even better would be including the number of charges laid as a result. This would ensure that the public is informed as to whether these powers are being used appropriately.

The second part should be an obligation to notify the individual whose information was sought, after a reasonable interval of time so that it does not interfere with an ongoing investigation. As drafted in Bill C-30, the individual whose information is sought will likely never know that this information was sought and obtained unless it comes out in open court after charges have been laid. In the current draft C-30, there is actually a gag order that prevents the ISP from telling the individual even if asked.

The information to obtain the disclosure order should be provided to the individual whose information is sought within six months unless a judge agrees, based on affidavit evidence provided by the relevant law enforcement officer, that doing so would be harmful to an ongoing criminal or national security investigation. An individual whose information is wrongfully sought or obtained should have a private right of action against the officer and the officer’s employer if there were not reasonable grounds to seek the information.

Overall, the entire scheme of "lawful access" to customer name and address information is irretrievably broken and needs the protections of independent oversight that only judges can provide.

Friday, October 26, 2012

Canadian police chiefs attempt to revive lawful access

At a time when most observers say that Bill C-30, also known as the "lawful access" bill, is dead in the water, the Canadian Association of Chiefs of Police have today come out swinging calling for its revival.

In connection with this effort CACP have put together a strong collection of documents to put forward their position. Here's the media release [pdf]:

Police Confirm Canadians’ Top Five Fears About Lawful Access CACP Renews Appeal for Lawful Access Legislation


VANCOUVER, BC – The Canadian Association of Chiefs of Police CACP) is launching a renewed effort to inform Canadians as they debate police authority for ‘lawful access’, in the context of Bill C-30 – “Protecting Children from Internet Predators Act.”


“If we stand by and do nothing, criminals will continue to exploit today’s technologies to criminally harass and threaten others and commit frauds, scams and organized and violent crimes with little fear of being caught. Canadians need the same protection against criminals that other western democracies enjoy,” stated CACP President Chief Constable Jim Chu.


Previous Canadian governments have introduced lawful access legislation only to have it ‘die on the order paper.’ The CACP is not willing to watch Bill C-30 fall victim to a similar fate. “If we don’t take a strong stance on this issue, Canadians will not appreciate the limitations that constrain law enforcement in the cyber world. Law enforcement continues to be handcuffed by legislation introduced in 1975, the days of the rotary phone. Today we allow new technologies to be used as a safe-haven for serious criminal activity, but are pulling back from using technology to prevent and investigate these serious crimes,” Chu continues.


“If the laws from the 1970s are not modernized, then organized criminals will plan their killings and kidnappings using telecommunications providers who do not build into their systems the technical ability to be monitored for the purpose of gathering evidence. Terrorists will exploit these same gaps. Victims who have been scammed or extorted over the Internet will be told the electronic footprint linking the suspect to the crime has disappeared because the telecommunications provider has no legal obligation to preserve data. If a suspect lures a child using a landline phone, basic subscriber information is available in a phone directory. But predators today don’t use old technology. The parent of a child who has been lured over the Internet will be told that the police search for their child is delayed because a warrant has to be obtained for basic subscriber information.”


"Criminal bullying is extremely concerning to all Canadians, especially the parents of young children, and Bill C-30 also provides new legislation to help police intervene and investigate cyber bullying in their early stages to prevent needless tragedy. The Bill makes it an offence to use telecommunications, including social media and the internet, to injure, alarm and harass others. " Canadians need to understand what lawful access is truly about.


The CACP has created a video entitled “Police Confirm Canadians’ Top Five Fears About Lawful Access” which can be viewed at http://youtu.be/ymVqkugH8PU In addition, to promote informed discussion on this issue, the CACP has prepared a document entitled “Simplifying Lawful Access – Through the Lens of Law Enforcement.” It is available on the CACP website www.CACP.ca) or directly at http://www.cacp.ca/media/library/download/1243/Final_Simplifying_Lawful_Access_final_english.pdf


The document compares today’s environment to the proposed new legislation, provides answers to ‘frequently asked questions’ and includes a series of case studies describing how law enforcement uses basic subscriber information.


While the CACP endorses Bill C-30, we would like to make it clear there is one part of the bill that has posed concerns to some and we share that concern. Section 34 is currently worded suggesting that an inspector can search anything, including a Canadian's private information at a telecommunications provider's facility, to verify compliance with the act. It is easy to understand why some might conclude from such wording that inspectors would have unfettered access to Canadians' personal records when doing these inspections. While we realize this is not the intention of this section, this must be clarified.


We recognize such inspections are required but the wording in Section 34 needs to be changed to assure Canadians that their personal information will never be a part of that inspection.”


The CACP urges our politicians to provide police with modern tools so they can better protect Canadians from harm. Bill C-30 would achieve this. The CACP agrees with the stronger accountability and oversight provisions in C-30 that protect the public against misuse of police intercept powers. The CACP urges Members of Parliament, the media and all Canadians to review the importance of this legislation through the lens of today’s victims of crime, and the frontline law enforcement officers who are trying to prevent and investigate crimes.


The Canadian Association of Chiefs of Police was established in 1905 and represents approximately 1,000 police leaders from across Canada. The Association is dedicated to the support and promotion of efficient law enforcement and to the protection and security of the people of Canada. Through its member police chiefs and other senior police executives, the CACP represents in excess of 90% of the police community in Canada which include federal, First Nations, provincial, regional and municipal, transportation and military police leaders.


I'll have more to say in the near future about the document produced by the CACP, but in the meantime it will be interesting to see if this will have any effect on the toxic bill.

Thursday, October 25, 2012

Supreme Court will hear Alberta case on constitutionality of privacy legislation

The Supreme Court of Canada has just granted leave to appeal United Food and Commercial Workers, Local 401 v Alberta (Attorney General).

In this case, among other things, the Alberta Court of Appeal found that portions of Alberta's Personal Information Protection Act were unconstitutional as it does not take into account freedom of expression guaranteed under the Charter of Rights and Freedoms.

I've blogged about this case in the past. Check out the tag UFCW Case (Alberta).

From the SCC:

Supreme Court of Canada - Decisions:

Information and Privacy Commissioner et al. v. United Food and Commercial Workers, Local 401 et al. (Alta.) (Civil) (By Leave) (34890)

(The applications for leave to appeal are granted with costs to be determined by the panel hearing the appeals. /

Les demandes d’autorisation d’appel sont accueillies et la décision sur les dépens sera rendue par la formation des juges qui entendra les appels.)

Coram: McLachlin / Rothstein / Moldaver

Tuesday, October 23, 2012

Bill C-12, PIPEDA amendments referred to committee (see correction)

It appears that Bill C-12 is being dusted off and will be sent to committee:
Order Paper and Notice Paper No. 167

C-12 — September 29, 2011 — The Minister of Industry and Minister of State (Agriculture) — Second reading and reference to the Standing Committee on Industry, Science and Technology of Bill C-12An Act to amend the Personal Information Protection and Electronic Documents Act.

Correction: Apparently it has not been referred to committee yet. It has been "on the order paper" to do so for some time, but the status of C-12 has not changed. Thanks to Jason Kee for pointing this out.

Managing and responding to data breaches

This morning I had the pleasure of speaking at the High Technology Investigation Association (Atlantic Chapter) annual professional development event. I was asked to speak about managing and responding to data breaches, particularly in light of the upcoming data breach notification requirements expected to be added to PIPEDA under Bill C-12 (currently languishing in Parliament).

Here's the presentation for anyone who may be interested:

Saturday, October 20, 2012

Interview - CBC Radio Day 6 - Catching Cyberbullies

I was interviewed by Brent Bambury on CBC Radio's Day 6 on October 20, 2012 to discuss cyberbullying. The full audio is available below.

Catching Cyberbullies - Day 6 - CBC Player

DAY 6 | Oct 20, 2012 | 8:49

Catching Cyberbullies

In the wake of Amanda Todd's suicide, cries for justice have echoed around the world. Millions have watched the heart wrenching YouTube video where she describes how she was targetted online and bullied a various schools. Hundreds of thousands have signed petitions and called for law enforcement to arrest the cyber bullies and predators who tormented her for years. Privacy, Internet and media lawyer David Fraser discusses some of the complexities of this type of case.

Friday, October 19, 2012

Discussions about online bullying and harassment

The tragic story of Amanda Todd, a Victoria-area teenager who took her own life after a long period of being stalked and extorted by an adult and bullied by her peers, has placed a renewed focus on online bullying in Canada.

Over the past week, I've contributed to a number of discussions on the topic, including the following:

Catching Cyberbullies | Day 6 with Brent Bambury | CBC Radio: In the wake of Amanda Todd's suicide, cries for justice have echoed around the world. Millions have watched the heart wrenching YouTube video where she describes how she was targeted online and bullied at various schools. Hundreds of thousands have signed petitions and called for law enforcement to arrest the cyberbullies and predators who tormented her for years. Privacy, Internet and media lawyer David Fraser discusses some of the complexities of this type of case. [Audio of interview to be broadcast on October 20, 2012 is available here]

Cyberbullying Panel | CBC The National | CBC TV: Following the death of Amanda Todd, Wendy Mesley hosts a panel on the desire for justice in cyberbullying cases and if the legal system should get involved. [Video, originally broadcast October 19, 2012 is available here (skip to about 30 minutes in]

Interview with Paul Hollingsworth | CTV Atlantic

Supreme Court of Canada finds reasonable expectation of privacy in work-issued laptop

The Supreme Court of Canada just released its decision in R v Cole, 2012 SCC 53, in which a majority of justices of the Court held that a teacher at a school had a reasonable expectation of privacy in the contents of his work-issued laptop. Nevertheless, evidence of child pornography found on it by the school, which was then given to the police, was found to be admissible evidence.

This is bound to be a controversial decision that will have repercussions in the employment law context as well as in criminal trials.

Here's the headnote from the case:

R v Cole, 2012 SCC 53

ON APPEAL FROM THE COURT OF APPEAL FOR ONTARIO

Constitutional law — Charter of Rights — Search and seizure — Information contained on computer — Pornographic pictures of child found on employer-issued work computer — Whether accused had reasonable expectation of privacy in employer-issued work computer — Whether warrantless search and seizure of laptop computer and disc containing Internet files breached accused’s rights under s. 8 of Charter — If so, whether evidence ought to be excluded pursuant to s. 24(2) of Charter.

The accused, a high-school teacher, was charged with possession of child pornography and unauthorized use of a computer. He was permitted to use his work-issued laptop computer for incidental personal purposes which he did. While performing maintenance activities, a technician found on the accused’s laptop a hidden folder containing nude and partially nude photographs of an underage female student. The technician notified the principal, and copied the photographs to a compact disc. The principal seized the laptop, and school board technicians copied the temporary Internet files onto a second disc. The laptop and both discs were handed over to the police, who without a warrant reviewed their contents and then created a mirror image of the hard drive for forensic purposes. The trial judge excluded all of the computer material pursuant to ss. 8 and 24(2) of the Canadian Charter of Rights and Freedoms. The summary conviction appeal court reversed the decision, finding that there was no s. 8 breach. The Court of Appeal for Ontario set aside that decision and excluded the disc containing the temporary Internet files, the laptop and the mirror image of its hard drive. The disc containing the photographs of the student was found to be legally obtained and therefore admissible. As the trial judge had wrongly excluded this evidence, the Court of Appeal ordered a new trial.

Held (Abella J. dissenting): The appeal should be allowed. The exclusionary order of the Court of Appeal is set aside and the order of a new trial is affirmed.

Per McLachlin C.J., and LeBel, Fish, Rothstein, Cromwell and Moldaver JJ.: Computers that are reasonably used for personal purposes — whether found in the workplace or the home — contain information that is meaningful, intimate, and touching on the user’s biographical core. Canadians may therefore reasonably expect privacy in the information contained on these computers, at least where personal use is permitted or reasonably expected. Ownership of property is a relevant consideration, but is not determinative. Workplace policies are also not determinative of a person’s reasonable expectation of privacy. Whatever the policies state, one must consider the totality of the circumstances in order to determine whether privacy is a reasonable expectation in the particular situation. While workplace policies and practices may diminish an individual’s expectation of privacy in a work computer, these sorts of operational realities do not in themselves remove the expectation entirely. A reasonable though diminished expectation of privacy is nonetheless a reasonable expectation of privacy, protected by s. 8 of the Charter. Accordingly, it is subject to state intrusion only under the authority of a reasonable law.

The police in this case infringed the accused’s rights under s. 8 of the Charter. The accused’s personal use of his work-issued laptop generated information that is meaningful, intimate, and organically connected to his biographical core. Pulling in the other direction are the ownership of the laptop by the school board, the workplace policies and practices, and the technology in place at the school. These considerations diminished the accused’s privacy interest in his laptop, at least in comparison to a personal computer, but they did not eliminate it entirely. On balance, the totality of the circumstances support the objective reasonableness of the accused’s subjective expectation of privacy. While the principal had a statutory duty to maintain a safe school environment, and, by necessary implication, a reasonable power to seize and search a school-board issued laptop, the lawful authority of the accused’s employer to seize and search the laptop did not furnish the police with the same power. Furthermore, a third party cannot validly consent to a search or otherwise waive a constitutional protection on behalf of another. The school board was legally entitled to inform the police of its discovery of contraband on the laptop. This would doubtless have permitted the police to obtain a warrant to search the computer for the contraband. But receipt of the computer from the school board did not afford the police warrantless access to the personal information contained within it. This information remained subject, at all relevant times, to the accused’s reasonable and subsisting expectation of privacy.

Unconstitutionally obtained evidence should be excluded under s. 24(2) if, considering all of the circumstances, its admission would bring the administration of justice into disrepute. The conduct of the police officer in this case was not an egregious breach of the Charter. While the police officer did attach great importance to the school board’s ownership of the laptop, he did not do so to the exclusion of other considerations. The officer sincerely, though erroneously, considered the accused’s Charter interests. Further, the officer had reasonable and probable grounds to obtain a warrant. Had he complied with the applicable constitutional requirements, the evidence would necessarily have been discovered. Finally, the evidence is highly reliable and probative physical evidence. The exclusion of the material would have a marked negative impact on the truth-seeking function of the criminal trial process. The admission of the evidence would not bring the administration of justice into disrepute and therefore the evidence should not be excluded.

Generally speaking, the decision to exclude evidence under s. 24(2) should be final. In very limited circumstances however, a material change of circumstances may justify a trial judge to revisit an exclusionary order. In this case, the Court of Appeal invited the trial judge to re-assess the admissibility of the temporary Internet files disc if the evidence becomes important to the truth-seeking function as the trial unfolds. Unconstitutionally obtained evidence, once excluded, will not become admissible simply because the Crown cannot otherwise satisfy its burden to prove the guilt of the accused beyond a reasonable doubt.

Per Abella J. (dissenting): While it is agreed that there has been a Charter breach, the evidence in this case should be excluded under s. 24(2). The Charter-infringing conduct in this case was serious in its disregard for central and well-established Charter standards. The police officer had years of experience in investigating cyber-crime and was expected to follow established Charter jurisprudence. Further, the police officer’s exclusive reliance on ownership to determine whether a warrant was required, was unreasonable and contradicted a finding of good faith for the purposes of s. 24(2). There were also no exigent circumstances or other legitimate reasons preventing the police from getting a warrant. The decision not to get a warrant mandates in favour of exclusion.

The impact of the breach on the accused’s Charter-protected interests, even assuming that his reasonable expectation of privacy was reduced because it was a workplace computer, was significant given the extent of the intrusion into his privacy. The warrantless search and seizure in this case included the entire contents of the accused’s computer. It had no restrictions as to scope. The extent of the search of the accused’s hard drive and browsing history was significant and weighs in favour of exclusion.

Finally, while the evidence in this case is reliable, its importance to the prosecution’s case is at best speculative given that the pornographic photographs themselves were admitted.

Balancing these factors, and in light of the deference owed to trial judges in applying s. 24(2), the evidence should be excluded.

Thursday, October 11, 2012

Canadian internet surveillance bill dying in Parliament

John Ibbitson writes in the Globe & Mail that Bill C-30 isn't just dying, it's pretty well dead.

It hasn't gone to committee, it hasn't gone anywhere. It's just silently decaying on the order paper.

Let me be among the first to throw a shovel of dirt on its grave.

Here's Ibbiton's opinion piece:

John Ibbitson: The quiet death of the Internet surveillance bill - The Globe and Mail: What Parliament isn’t debating can be as interesting as what it is debating. This fall it emphatically isn’t debating Bill C-30.

That’s because, for all intents and purposes, the Conservatives’ Internet surveillance legislation is dead.

C-30, you will remember, would grant the federal government and law enforcement agencies the power to obtain information about individuals who are online without having to apply for a warrant.

You will also remember that Public Safety Minister Vic Toews endured a world of hurt back in February when he told critics of the bill that they could “either stand with us or with the child pornographers.”

Stung by the widespread opposition, including from the federal and provincial privacy commissioners and from within its own caucus, the Conservative government said it would refer the bill to a committee.

Last May, your correspondent was rebuked by Mr. Toews for writing that the bill was, in reality, “dead in the water.”

“Our government has been very clear, that matter will be referred to a parliamentary committee,” he insisted.

But the five hours of debate needed before the bill could be referred to the committee didn’t happen that May. It didn’t happen in June. It didn’t happen in September, when the House returned from summer recess. October? So far, nada.

When asked when and whether C-30 would come before the House this autumn, Mr. Toews’ spokeswoman, Julie Carmichael, said by email: “Our government is thoroughly reviewing this legislation.

“At all times we will strike an appropriate balance between protecting privacy and giving police the tools they need to do their job,” she wrote.

Which may be another way of saying the Internet surveillance bill is not just dead in the water – it’s at the bottom of the sea.

Nathan Cullen, House Leader for the NDP, says he has asked about the status of C-30 at virtually every one of his weekly meetings with Conservative House Leader Peter Van Loan.

“I always get the exact same answer back, which is a non-answer,” said Mr. Cullen in an interview.

“I don’t know whether it was because the Minister so screwed up the messaging, or whether they’ve had some other input saying they went too far or it just can’t be salvaged,” he speculates.

What isn’t speculation is that the Internet bill has disappeared from the radar – for good, it would appear.

Stephen Harper is likely to have Parliament prorogued this coming winter, in anticipation of a major cabinet shuffle and a throne speech to mark the halfway point in his majority government. With prorogation, C-30 will die on the order paper, unmourned.

A new Public Safety Minister may introduce new lawful access legislation that would require a judicial warrant before anyone could compel an Internet Service Provider to divulge information about a client.

But that’s down the road. What matters is this: If you’re with the child pornographers, or with the privacy commissioners, or with at least some of the Tory caucus, or with the millions of other Canadians who want to limit the power of the federal government to snoop online, you can forget about C-30.

The Tories appear content to leave this political shipwreck alone.

Friday, October 05, 2012

Canadian IT Law Association annual conference coming up ...

All Canadian privacy and nerd-law types take note:

The Sixteenth Annual Canadian Information Technology Law Association (“IT.CAN”) Conference will be held in Montreal, QC, October 29-30, 2012. For the full conference brochure including registration details, visit the association's website at www.it-can.ca. If you have any questions about the program please contact Lisa Ptack, IT.CAN Executive Director at lisa.ptack@rogers.com.

The speakers and content at the IT.Can conference are always top-notch (despite the fact that I'm speaking on privacy topics on the Monday).

Thursday, October 04, 2012

Libraries, privacy law and dealing with law enforcement requests for patron information

I was recently invited by a group of regional librarians in Nova Scotia to speak with them about libraries, privacy law and dealing with law enforcement requests for patron information.

While it's a pretty narrow niche, here's my presentation in case you're interested ...



Update (2012-10-05): In Nova Scotia, public libraries are "public bodies" governed either by the Freedom of Information and Protection of Privacy Act or Part XX of the Municipal Government Act. Both statutes permit public bodies to disclose personal information to law enforcement for law enforcement purposes without the consent of the individual. However, just because a library can make such disclosures doesn't automatically lead to the conclusion that a library should.

The Canadian Library Association has taken some strong positions on patron privacy, such as the Position Statement on Citizenship Access to Information Data Banks - Right to Privacy made in 1987 which includes:

Therefore, to protect the personal rights and privacy of users to consult and borrow library materials without prejudice, the Canadian Library Association endorses the following policy: That names of library users not be released to any person, institution, association or agency for any reasons save as may be legally required by Federal or Provincial laws.

The CLA's earlier (1976) Statement on a Code of Ethics includes general support for patron privacy:

Members of the Canadian Library Association have the individual and collective responsibility to:
  1. support and implement the principles and practices embodied in the current Canadian Library Association Statement on Intellectual Freedom;
  2. make every effort to promote and maintain the highest possible range and standards of library service to all segments of Canadian society;
    facilitate access to any or all sources of information which may be of assistance to library users;
  3. protect the privacy and dignity of library users and staff.

Both of these policy statements support the proposition that patron information should only be disclosed where required by law, not just as permitted by law.

In my view, libraries should develop a written policy on interactions with law enforcement that are consistent with a librarian's ethical obligations to protect patrons, which would govern the exercise of discretion. One might come to the conclusion that information about a patron's use of library resources (such as books, computers, etc) would only be provided pursuant to a warrant or a production order while less sensitive information (was a person at the library at a particular time) may be provided without lawful compulsion. The policy should also say who is able to exercise discretion and make decisions on behalf of the library, with a general prohibition against all disclosures by anyone other than the sanctioned decision-makers.

In order to minimise confusion and clarify processes, such policies should be clearly communicated to local law enforcement.

Finally, I should note that the above is meant to be educational, to assist librarians in seeking proper legal advice on this sensitive topic. Above all, this should not be construed as legal advice.

Privacy Commissioner tables annual public sector privacy report

The Privacy Commissioner of Canada tabled her annual report to Parliament on the Privacy Act, highlighting many challenges with the protection, use and disclosure of personal information in the federal public sector. Here's the media release with links to the report:

News Release: Privacy Commissioner highlights need for better protection of personal information by federal departments and agencies - October 4, 2012:

Privacy Commissioner highlights need for better protection of personal information by federal departments and agencies

Veterans Affairs Canada audit outlines effort to regain confidence

OTTAWA, October 4, 2012 – There is a continued rise in the level of privacy complaints about government by the public, along with greater delays in responding to requests by people seeking access to their personal information, according to Jennifer Stoddart, Privacy Commissioner of Canada, in her 2011-12Privacy Act annual report which was tabled today in the Parliament. The Commissioner’s report provides details on investigation findings and privacy trends across federal departments and agencies, and also includes the conclusion of an audit into the privacy practices of Veterans Affairs Canada (VAC).

Veterans Affairs Canada audit concludes

The audit of VAC conducted by the Office of the Privacy Commissioner of Canada (OPC) followed a 2010 investigation which uncovered some serious systemic privacy issues involving the handling of veterans’ personal information. Specifically, it was found that a veteran’s sensitive medical information was shared among officials who lacked a legitimate need to see it. Some health information even ended up in ministerial briefing notes detailing the veteran’s advocacy work.

The audit found that VAC has made significant improvements to its privacy practices. For example, following the OPC investigation, VAC reviewed access rights to veterans’ electronic records and subsequently removed privileges outright for some 500 employees while reducing them for 95 percent of others. Investments have also been made in monitoring access to files, educating employees, and developing new policies, procedures and guidelines to respect privacy.

“The Department has agreed to implement all of our 13 audit recommendations and we are pleased with progress made to date,” said Commissioner Jennifer Stoddart, noting that the Office will follow-up with VAC within two years.  “I’m satisfied that our findings paint an encouraging picture of a department now working to better ensure that its practices comply with the Privacy Act. It is clear that senior management has implemented structures and control mechanisms to move the department from one that merely reacts to privacy issues to one capable of addressing them systematically and proactively.  All organizations would best serve Canadians by striving to reach this destination without having to endure a similar journey.”

Record high in access time delays causes concern and action

The Commissioner’s annual report also documents privacy trends within the federal government. This year saw a concerning increase in delayed responses from organizations to individuals seeking personal information held about them, as is a right under the Privacy Act. While this has been a concern for years, the 2011-12 increase reached an all-time high. 

As a result, upon receipt of future time delay complaints, the OPC now provides departments with a maximum four months to commit to a release. Failing that, a “deemed denial” finding will be issued, clearing the way for court action to resolve the matter.

“We note that as awareness and concerns over privacy increase, resources dedicated to facilitating access to personal information for individuals has remained stagnant or even decreased,” said the Commissioner. “Even during a time of greater fiscal restraint, the government shouldn’t cut back on its commitment to meeting the privacy rights of Canadians.” 

Increased numbers of complaints, breach reports

The report also notes that the OPC accepted 986 complaints in 2011-12, marking a 39 percent increase over the previous fiscal year.  The period also saw reported data breaches within federal organizations reach an all-time high of 80.  It must be noted however that because data breach notification within the federal government is voluntary, it’s unclear whether this statistic represents an actual increase in privacy breaches or more diligent reporting by departments.

“Overall, as we take stock upon 30 years of the Privacy Act, the need for a stronger emphasis on respecting privacy within the federal government remains,” added the Commissioner. “We will continue to use the tools and leverage we have to encourage the government to take action.”

The report also details findings from numerous investigations into privacy complaints against other federal organizations, including Correctional Services Canada and the Canada Revenue Agency (CRA). Additionally, following numerous reports of privacy breaches involving employees inappropriately accessing taxpayer information in recent years, the report notes that the OPC has selected the CRA for an audit under Section 37 of the Privacy Act. Work on this has begun and will continue over the coming months.

The full annual report and audit of VAC are available at www.priv.gc.ca. The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada.

Related Documents


Tuesday, October 02, 2012

Ontario Court of Appeal rules no expectation of privacy in connecting IP address to customer name

The Ontario Court of Appeal has today released its decision in R. v. Ward, 2012 ONCA 660, in which it held that -- in the circumstances of the case -- a customer has no expectation of privacy in his or her customer name and address when the police come armed with an IP address. I haven't had a chance to digest the full decision, but it gets added to the list of cases that permit the police, in certain circumstances, to obtain customer details when they have the IP address of a suspect.

I expect that this will further embolden those who support the resurrection of lawful access legislation before parliament.

Similar to other cases that have found no expectation of privacy in customer name and address information, the Ontario Court of Appeal held that Bell Sympatico had expressly "circumscribed" its customer's expectation of privacy:

[100] Setting aside the contractual terms for the moment, I think the “reasonable and informed person” identified by Binnie J. in Patrick, at para. 14, would view a customer’s reasonable expectation of privacy in his or her subscriber information to be circumscribed by the service provider’s discretion to disclose that information to the police where it was both reasonable to do so and a PIPEDA compliant request for disclosure had been made by the police.

Monday, October 01, 2012

Political parties should be included in privacy laws; it'll never happen

The editorial in today's Halifax Chronicle Herald calls upon the government to include political parties within the protections of privacy laws. While it's a good idea, I can't see this happening ... it would require the politicians to agree that their hands should be tied.

PROTECTING PRIVACY: Challenges growing | The Chronicle HeraldPROTECTING Canadians’ privacy in a digital universe is a growing challenge.

Just how big that challenge has become was reflected in recent stories that underline the different ways Canadians’ personal information is not as secure as it should be.

The outcry after Immigration Minister Jason Kenney’s MP office emailed thousands of Canadians on Sept. 14, to boast about government efforts to protect gay refugees, focused on a simple question: How did the politician get those addresses?

Turns out Mr. Kenney’s office captured email addresses from letters that had been automatically sent to him whenever someone had signed a 2011 online petition protesting the deportation of a gay artist from Nicaragua.

Despite the widespread concern over what had happened, however, federal privacy commissioner Jennifer Stoddart’s office last week said that, based on what was known, they lacked jurisdiction.

Which points to an ongoing, glaring weakness in Canada’s laws protecting personal information. Though they collect vast amounts of personal data about voters, political parties in Canada are not, for the most part, bound by federal privacy legislation.

A study commissioned by Ms. Stoddart’s office and released last March found that Canada was one of just a few democratic countries lacking such protection. A poll done for the privacy commissioner’s office two years ago showed 92 per cent of Canadians wanted privacy laws to also cover political parties.

Earlier this month, Elections Canada’s chief electoral officer, Marc Mayrand, said the agency, in the wake of the robocalls scandal last spring, was examining possible regulations to control the huge databanks on voters held by political parties. It’s unclear, however, how comprehensive such regulations could be.

Meanwhile, Ms. Stoddart last week also issued a warning to 11 large commercial websites in Canada that were sharing consumers’ personal data without permission.

It’s time the federal government put enough “teeth” in Canada’s privacy laws to make offenders respect their “bite” — and it’s past time the privacy commissioner was given the power to bring political parties to heel, too.