Sunday, July 27, 2014

Ontario court to hear telcos' challenge of police request for "tower dumps" including info on 40,000+ customers

An Ontario court has agreed to hear a Charter challenge brought by Rogers and Telus in response to a police request for "tower dumps" with records on over 40,000 calls or customers. The police subsequently withdrew its request, but the judge has agreed to hear the case in any event, given the important privacy interests at stake.

The short recital of the facts is very interesting and suggests the initial production order is staggeringly broad, requiring the production of personal information about tens of thousands of people who had nothing to do with the crime being investigated: [8] Mobile telephones check into wireless networks by connecting to antennas that are frequently mounted on towers. A record is created whenever the telephone attempts or completes a communication which could be a phone call, text message or e-mail. The record identifies the particular tower at which the phone connected to the system. Each tower serves a geographical area ranging from a 10-25 km radius in the country and 1-2 km, radius (or even less) in the city. [9] The production orders against Rogers and Telus are in similar form. The orders require cell phone records for all phones activated, transmitting and receiving data through 21 specified Telus towers and 16 Rogers towers. The orders require the name and address of every subscriber making or attempting a communication and the particular cell tower being utilized. The orders are framed such that if both the person initiating and receiving the communication are Rogers (or Telus) subscribers, then information regarding the recipient must also be provided and the cell tower the recipient used must also be provided. The orders also require billing information which may include bank and credit card information.

[10] Telus and Rogers are both contractually obliged, subject to narrow exceptions, to keep customer personal information private and confidential.

[11] The existing order will require Telus to disclose the personal information of at least 9,000 individuals. Rogers estimates that it will be required to conduct 378 separate searches and retrieve approximately 200,000 records related to 34,000 subscribers.

[12] The existing orders do not specify how the customer information is to be safeguarded and does not restrict the purposes for which the PRP may use the information. For example the PRP is not restricted from retaining the information and using it with respect to unrelated investigations.

[13] The Telus affidavit indicates that since 2004 it has dealt with thousands of court orders requiring cell records. In 2013 alone, it responded to approximately 2,500 production orders and general warrants. To the knowledge of the Telus deponent, the order that it now challenges is the most extensive to date in terms of the number of cell tower locations, and length of time periods, for which customer information is required.

[14] The Rogers affidavit indicates that from 1985 to 2014 it has complied with many thousands of production orders. In 2013, alone it produced 13,800 “files” in response to production orders and search warrants.

The court also highlights that the privacy of millions of Canadians is implicated by the decision:

[41] With respect to the third criterion, sensitivity to the count’s proper law making function, there is effectively an ongoing dispute between the police and telecommunications providers. The fact the “tower dumps” are frequently used by police as an investigative tool is reflected in the material before me and is evident as a matter of judicial experience. The Rogers-Telus applications directly concern 40-50,000 individuals, it is safe to infer that the number of individuals affected across Canada would be in the hundreds of thousands, if not millions, every year.

See: R. v. Rogers Communications Partnership, 2014 ONSC 3853 and Telecoms’ charter case to be heard | The Chronicle Herald.

Thursday, July 10, 2014

Privacy Commissioner cautions insurers about the use of genetic testing

The Office of the Privacy Commissioner of Canada has today released a policy statement on genetic testing and the insurance industry. Essentially, the document says to tread carefully, but the subtext clearly is much more negative towards the practice.

From the media release:

News Release: Office of the Privacy Commissioner of Canada issues statement on the use of genetic test results by life and health insurance companies - July 10, 2014

OTTAWA, July 10, 2014 – The Office of the Privacy Commissioner of Canada is urging the life and health insurance industry to call on its members to refrain from asking applicants for access to existing genetic test results for the purposes of underwriting an insurance policy at this time.

“As science and technologies advance, protecting genetic privacy will become increasingly important and challenging,” says Privacy Commissioner Daniel Therrien.

“We are calling on the industry to refrain from asking for existing test results to assess insurance risk until the industry can clearly show that these tests are necessary and effective in assessing risk. This would allow people to undergo genetic testing for various purposes without fear that the results may have a negative impact if they apply for insurance.”

The step called for in the policy statement issued today would effectively expand the industry’s current voluntary moratorium on asking applicants to undergo genetic testing. The statement outlines the Office of the Privacy Commissioner’s position with respect to the application of the Personal Information Protection and Electronic Documents Act (PIPEDA) to this practice.

The statement says: “It is not clear that the collection and use of genetic test results by insurance companies is demonstrably necessary, effective, proportionate or the least intrusive means of achieving the industry’s objectives at this time.”

The statement reflects the Office of the Privacy Commissioner’s ongoing work on the privacy implications associated with genetic information.

The issue has prompted the introduction of private members’ bills at both the federal and provincial levels, and the issue was mentioned in the most recent Speech from the Throne.

The Office of the Privacy Commissioner has provided the statement to the Canadian Life and Health Insurance Association.

The Commissioners of Alberta, British Columbia and Quebec – all provinces with substantially similar private-sector legislation – support the work done by the Office of the Privacy Commissioner of Canada. Insurance companies in those provinces will need to consider provincial legislation in addressing these issues.

For more information about the two research papers that contributed to this statement and the OPC’s strategic priorities, please see:

Tuesday, July 08, 2014

Catherine Tully appointed new FOIPOP Review Officer of Nova Scotia

The Nova Scotia government has just announced the appointment of the new FOIPOP Review Officer for Nova Scotia, Catherine Tully.

Here's the media release:

New FOIPOP Review Officer Appointed | novascotia.ca

New FOIPOP Review Officer Appointed

Department of Justice

July 8, 2014 1:07 PM

Catherine Tully of Ottawa has been appointed Nova Scotia's new freedom of information and protection of privacy review officer.

Ms. Tully will oversee how provincial and municipal governments, school boards, universities, community colleges and hospitals protect the privacy of Nova Scotians and respond to requests for access to information.

"This is an important oversight role," said acting Justice Minister Mark Furey. "Nova Scotians have a right to information held by government and they expect us to protect their private information. I'm very pleased we have a strong leader to fulfill this responsibility. Ms. Tully has tremendous leadership and practical experience to bring to this role."

Ms. Tully has over 10 years of senior experience with government agencies and Crown corporations dedicated to access to information and privacy law. She's been the assistant information and privacy commissioner for British Columbia and, most recently, was the director of privacy and access to information for Canada Post. Although she spent much of her work and educational career in Ontario and British Columbia, Ms. Tully completed a master's degree in international law and human rights at Dalhousie University.

"I look forward to working with public bodies and health custodians to help them find practical solutions to the tough access and privacy issues," said Ms. Tully. "For citizens, I will continue the work of ensuring that Nova Scotians have meaningful access to government information and real protection of their personal information.

"I am honoured by this appointment and look forward to my return to Nova Scotia to tackle the opportunities and challenges of review officer."

The review officer is an independent ombudsman appointed by the Governor in Council for a term of five to seven years. The review officer accepts appeals from people and organizations who are not satisfied with the response they received from provincial government departments, most provincial agencies, boards and commissions, municipal government organizations and public bodies including community colleges, hospitals, universities, and school boards.

The review officer may make recommendations to the public body. The public body must respond in writing to the report. If the applicant, or a third party, is not satisfied with the outcome of a review, an appeal may be made to the Supreme Court of Nova Scotia.

Ms. Tully will begin Sept. 8.