I was invited to present at an professional development event by the Association of Psychologists of Nova Scotia, on the topic of Privacy 101. In case it's of use to others, here's my slide deck:
Showing posts with label health information. Show all posts
Showing posts with label health information. Show all posts
Friday, September 28, 2018
Presentation: Privacy 101 for Psychologists
Tuesday, January 15, 2013
Massive BC privacy breach involves millions of health records
The Canadian Press, via the CBC, is reporting on a series of new data breaches from British Columbia that likely involved millions of health records. And, as with the HRSDC breaches, portable electronic USB storage devices are involved.
It appears that the province is not planning to notify everyone involved.
B.C. privacy breach shows millions affected - British Columbia - CBC News:
Ministry notifying more than 38,000 people about shared data
The personal-health data of millions of British Columbians has been accessed without proper authorization, and in the most serious cases, the provincial government says it will notify 38,486 individuals of the breaches by letter.
Health Minister Margaret MacDiarmid made the announcement as part of an ongoing investigation into research-grant practices between ministry employees and researchers at the universities of B.C. and Victoria.
MacDiarmid said that during three separate instances in October 2010 and June 2012, the health information was saved on USB sticks and shared with researchers or contractors without the proper permission or protocols.
McDiarmid said the data did not include names, addresses or financial information, but it wasn't supposed to be shared with other health researchers.
Also included was data from Statistics Canada's Canadian Community Health Survey, including information on the mental, physical and sexual health of individuals, as well as their lifestyles and the use of health services.
“We don't have any evidence at all that any of this information was used for any purpose other than health research. There is minimal if any risk that this information that would be used in a way that would be harmful to these individuals.”
MacDiarmid said her ministry decided to write the letters following discussions with the Office of the Information and Privacy Commissioner.
Elizabeth Denham, the information and privacy commissioner, also said Monday her independent investigation should be complete in the coming weeks, and she will then issue a public report with findings and recommendations.
Seven ministry workers have already been fired, sparking two separate lawsuits.
Friday, November 16, 2012
Newfoundland health privacy legislation found "substantially similar" to PIPEDA, exemption order issued
As of October 10, 2012, the Federal Cabinet issued the Personal Health Information Custodians in Newfoundland and Labrador Exemption Order, which has the effect of ceding jurisdiction under PIPEDA with respect to health information custodians under the Personal Health Information Act of Newfoundland and Labrador.
The Order reads:
SI/2012-72 October 10, 2012PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT
Personal Health Information Custodians in Newfoundland and Labrador Exemption Order
P.C. 2012-1091 September 20, 2012
Whereas the Governor in Council is satisfied that the Personal Health Information Act, SNL 2008, c P-7.01, of Newfoundland and Labrador, which is substantially similar to Part 1 of the Personal Information Protection and Electronic Documents Act (see footnote a), applies to the personal health information custodians referred to in the annexed Order;
Therefore, His Excellency the Governor General in Council, on the recommendation of the Minister of Industry, pursuant to paragraph 26(2)(b) of the Personal Information Protection and Electronic Documents Act (see footnote b), hereby makes the annexed Personal Health Information Custodians in Newfoundland and Labrador Exemption Order.
PERSONAL HEALTH INFORMATION CUSTODIANS IN NEWFOUNDLAND AND LABRADOR EXEMPTION ORDER
EXEMPTION
1. Any personal health information custodian to which the Personal Health Information Act, SNL 2008, c P-7.01, applies is exempt from the application of Part 1 of the Personal Information Protection and Electronic Documents Act in respect of the collection, use and disclosure of personal health information that occurs in Newfoundland and Labrador.
COMING INTO FORCE
2. This Order comes into force on the day on which it is registered.
Tuesday, March 15, 2011
Missing Alberta health care provider hard drive had thousands of patient images
An unencrypted hard-drive has gone missing at Covenant Health in Alberta, leading to an investigation by the province's Information and Privacy Commissioner. The drive, it appears, contained exclusively images, but many of them would be considered to be highly sensitive including video of surgeries. The names and hospital numbers of the 3,600 relevant patients are also apparent from the directory and file naming systems. The drive apparently went missing when an employee was moving offices. Because it was not a "portable" drive, the data was not encrypted.
See: Missing hard drive had thousands of patient images - Calgary - CBC News.
Monday, January 17, 2011
Personal Health Information Act for Researchers
I was invited to give a presentation to staff and physicians at the IWK Health Centre in Halifax on the impact of the new Personal Health Information Act on researchers and research activities.
For anyone who may be interested, here is a copy of the presentation:
(If the embedding above is not working for you, this link should take you to the presentation: https://docs.google.com/present/view?id=ddpx56cg_32947mwh5hq&interval=30&autoStart=true&loop=true)
Tuesday, November 09, 2010
Nova Scotia to table health information legislation today
The Nova Scotia Minister of Health is expected to table the latest iteration of the Personal Health Information Act in the Nova Scotia legislature this afternoon. Expect to see the text of the bill here as soon as it's tabled.
Update: The text of Bill 89 is available here.
Wednesday, September 08, 2010
Personal Health Information Act and health research
I have been invited to give a presentation to health researchers at Dalhousie, the IWK Health Centre and the Capital District Health Authority on the upcoming Personal Health Information Act and its impact on health research.
For any others who may be interested, here is the presentation:
The bill fell off the order paper of the Nova Scotia legislature when the house rose for the summer, but we are expecting it will be reintroduced sometime this fall.
Thursday, November 05, 2009
Text of Bill 64, Personal Health Information Act (Nova Scotia) now available
The text of Bill 64, the Personal Health Information Act has now been posted on the Nova Scotia Legislature website.
Wednesday, November 04, 2009
Personal Health Information Act introduced in Nova Scotia
The Minister of Health for Nova Scotia has today introduced the Personal Health Information Act in the legislature. I'll have a link to the text of the bill tomorrow, but in the meantime you can read the release:
Personal Health Information Legislation Introduced News Releases Government of Nova ScotiaPersonal Health Information Legislation Introduced
Department of Health
November 4, 2009 2:46 PM
Nova Scotian's personal health information would be better managed under proposed legislation introduced today, Nov. 4.
The Personal Health Information Act would provide consistent provincial rules for the management of personal information in health care.
"Patient privacy is a fundamental principle in delivering health care. At the same time, it is important that health care professionals can share information in ways that can improve care," said Health Minister Maureen MacDonald. "This legislation balances these important objectives."
The proposed legislation sets out rules for how health information is collected, used, disclosed, retained and destroyed by the health-care sector in Nova Scotia. It better supports a system that uses electronic as well as paper health records and helps provide a more seamless flow of information.
Specific rules include provisions for privacy breach notification audit reports to track who has had access to electronic health records, and requests for people to access to their health information.
Nova Scotia does not have clear health information legislation. It is governed by a mix of federal and provincial laws, health profession codes, and organizational policies and procedures. Nova Scotia joins eight other provinces who have comprehensive legislation to manage personal health information.
I understand that the legislature session ends shortly, so the Bill will not be debated until the new year. It's also reported that the Department plans to have the Bill come into force in January 2011.
Thursday, October 15, 2009
Government declines proposed reforms to access and privacy laws
The Minister of Justice has responded to the Standing Committee on Access to Information, Privacy and Ethics' reports on reform to the Privacy Act and the Access to Information Act with a robust "thanks, but no thanks".
House of Commons Committees - ETHI (40-2) - Reports and Government Responses Report 11 - The Access to Information Act: First Steps Towards Renewal (Adopted by the Committee on June 15, 2009; Presented to the House on June 18, 2009)Government Response: 11th Report of the Standing Committee on Access to Information, Privacy and Ethics, "The Access to Information Act: First Steps Towards Renewal" (Presented to the House on October 9, 2009)Report 10 - The Privacy Act: First Steps Towards Renewal (Adopted by the Committee on June 8, 2009; Presented to the House on June 12, 2009)Government Response: Tenth Report of the Standing Committee on Access to Information, Privacy and Ethics, "The Privacy Act: First Steps Towards Renewal" (Presented to the House on October 9, 2009)
Thanks to Michael Geist for the pointer.
Some media coverage from the Canadian Press:
The Canadian Press: Harper government refuses to expand information, privacy lawsHarper government refuses to expand information, privacy laws
By Joan Bryden (CP) – 2 hours ago
OTTAWA — The Harper government has quietly nixed recommendations to expand and modernize Canada's access-to-information and privacy laws.
Justice Minister Rob Nicholson's rejection of reforms to the 26-year-old laws sparked accusations Thursday that the Tories have reneged on campaign promises to bring openness and transparency to the federal government.
"The access system now does not work," said Michel Drapeau, a lawyer and a leading expert on accessing government documents.
"They appear to like it this way."
Nicholson's rejection was also greeted with disappointment by privacy experts, who warned that Canada's outdated Privacy Act does not cover modern technologies, such as surveillance cameras and DNA samples collected from suspects.
Nor does it give the privacy commissioner any recourse to the courts when the government inappropriately discloses personal information, no matter how serious the breach.
"We're very disappointed, actually," said Chantal Bernier, assistant privacy commissioner.
"While we agree with the minister that privacy is well protected in Canada, we feel we can do better."
A Commons committee had recommended, among other things, that the information commissioner be given more power to force the government to disclose information in a timely manner.
Drapeau said only 10 to 20 per cent of access requests receive a response within 30 days, as intended under the law. The rest routinely take up to two years with some dragging on as long as four years.
Suzanne Legault, interim information commissioner, said Drapeau's view of the access system is overly pessimistic. She said 57 per cent of requests get a response within 30 days.
Still, she acknowledged there's an "urgent need" to modernize legislation to remedy some "very long delays" in responding to access requests.
Legault pointed out that the act was drafted in the days when bureaucrats kept paper records "in a neat file folder." Now, they are inundated with digital information, such as streams of emails with attachments, that is harder to manage and takes longer to sift through.
"We really live in a world of digital information and the system hasn't adjusted," Legault said.
The Commons committee had also wanted the privacy law expanded to cover new technologies. And it wanted to beef up provisions governing the disclosure of personal information by the Canadian government to foreign states - one of the most urgent needs in the wake of the Maher Arar case, according to Bernier.
Based on information provided by Canadian security authorities, Arar was detained in the U.S. and deported to Syria, where he was tortured.
In responses to the committee tabled quietly last week, Nicholson rejected the proposed reforms as too cumbersome, unnecessary or ill-considered.
He said giving the information commissioner more powers would shift the nature of the job "from an ombudsman model towards a quasi-judicial model," which would be inconsistent with other independent parliamentary watchdogs.
He rejected the notion that information requesters should have direct recourse to the Federal Court if access is refused, arguing that such a reform "would increase the caseload burden on the Federal Court."
On the privacy recommendations, Nicholson ruled out legislative restrictions on the disclosure of personal information to foreign states, arguing that law enforcement and security agencies "require a flexible approach" to information sharing.
"They must be able to share their intelligence within Canada and well as with their foreign partners," he wrote.
Moreover, Nicholson argued that efforts to combat international child abductions, forced marriages and worldwide health threats would be "seriously hampered" by restrictions on information sharing.
Nicholson maintained both the Access to Information Act and the Privacy Act are strong pieces of legislation. And he suggested "administrative alternatives, such as enhanced guidance and training" could be "equally effective" in improving both the access and privacy regimes.
Copyright © 2009 The Canadian Press. All rights reserved.
Thursday, September 10, 2009
Privacy Commissioners call for reconsideration of expanded surveillance powers
The federal, provincial and territorial Privacy Commissioners meeting together in St. John's have issued a statement calling for "caution" on the expansion of investigative powers proposed by the conservative government.
They issued the following media release, referring to resolutions available on the federal Commissioner's website:
Privacy commissioners urge caution on expanded surveillance planST. JOHN'S, Sept. 10 /CNW Telbec/ - Parliament should take a cautious approach to legislative proposals to create an expanded surveillance regime that would have serious repercussions for privacy rights, say Canada's privacy guardians.
Privacy commissioners and ombudspersons from across the country issued a joint resolution today urging Parliamentarians to ensure there is a clear and demonstrable need to expand the investigative powers available to law enforcement and national security agencies to acquire digital evidence.
The federal government has introduced two bills aimed at ensuring that all wireless, Internet and other telecommunications companies allow for surveillance of communications, and comply with government agency demands for subscriber data - even without judicial authorization.
"Canadians put a high value on the privacy, confidentiality and security of their personal communications and our courts have also accorded a high expectation of privacy to such communications," says Jennifer Stoddart, the Privacy Commissioner of Canada.
"The current proposal will give police authorities unprecedented access to Canadians' personal information," the Commissioner says.
The resolution is the product of the semi-annual meeting of Canada's privacy commissioners and ombudspersons from federal, provincial and territorial jurisdictions across Canada, being held in St. John's.
The commissioners unanimously expressed concern about the privacy implications related to Bill C-46, the Investigative Powers for the 21st Century Act and Bill C-47, the Technical Assistance for Law Enforcement in the 21st Century Act. Both bills were introduced in June.
"We feel that the existing legal regime governing interception of communications - set out in the Criminal Code and carefully constructed by government and Parliament over the decades - does protect the rights of Canadians very well," says Ed Ring, the Information and Privacy Commissioner for Newfoundland and Labrador and host of the meeting.
"The government has not yet provided compelling evidence to demonstrate the need for new powers that would threaten that careful balance between individual privacy and the legitimate needs of law enforcement and national security agencies."
The resolution states that, should Parliament determine that an expanded surveillance regime is essential, it must ensure any legislative proposals:
- Are minimally intrusive;
- Impose limits on the use of new powers;
- Require that draft regulations be reviewed publicly before coming into force;
- Include effective oversight;
- Provide for regular public reporting on the use of powers; and
- Include a five-year Parliamentary review.
At the meeting in St. John's, the commissioners and ombudspersons also passed a resolution about the need to protect personal information contained in online personal health records.
The resolution emphasizes the importance of empowering patients to control how their own health information is used and shared. For example, it calls for developers of personal health records to allow patients to gain access to their own health information, set rules about who else has access, and to receive alerts in the event of a breach.
"Personal health records have the potential to deliver significant benefits for patients and their health care providers. However, given the highly sensitive personal information involved, developers need to ensure they build in the highest privacy standards," says Commissioner Ring.
Both resolutions are available on the Privacy Commissioner of Canada's website, http://www.priv.gc.ca/.
The resolutions are here:
Wednesday, September 02, 2009
IPC issues advice on the "circle of care" under PHIPA
The Information and Privacy Commissioner of Ontario has released written guidance on the "circle of care" under that province's Personal Health Information Protection Act, entitled Circle of Care: Sharing Personal Health Information for Health-Care Purposes.
Here's the news release:
Privacy Commissioner Cavoukian and seven health organizations team up to eliminate confusion over key element of health privacy lawTORONTO, Sept. 2 /CNW/ - Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, today released a new publication that includes specific practical examples to help clarify any confusion over when health information custodians can assume a patient's implied consent to collect, use or disclose personal health information.
The brochure, Circle of Care: Sharing Personal Health Information for Health-Care Purposes, was developed with the collaboration of seven health organizations. "This brochure cuts through the confusion surrounding the term circle of care," said the Commissioner. "We are using seven relevant examples from across the broader continuum of the health sector to provide such clarification."
"There had been some confusion in the health sector as to the meaning and scope of the circle of care concept," explained Commissioner Cavoukian. "In part, this may have been because the term does not appear in the Personal Health Information Protection Act, 2004. It is, however, commonly used in the health-care community to describe the provisions in the Act that permit health-care providers to assume a patient's implied consent to collect and use personal health information - and to share that information with other health-care providers - in order to provide health care to that patient, unless the patient expressly indicates otherwise."
The Act is based on the premise that privacy can be protected, without needless delays in the health system.
"Overall, the Act is working very well, but clarity needed to be brought to bear on the circle of care concept," said Commissioner Cavoukian.
The seven examples in the brochure address this. As a fictional 61-year-old patient is followed through much of the health-care system, the examples provide specific guidance relating to when a health provider can assume implied consent.
The seven health organizations that worked with the IPC include (in alphabetical order): the College of Physicians and Surgeons, the Ontario Association of Community Care Access Centres, the Ontario Association of Non-Profit Homes and Services for Seniors, the Ontario Hospital Association, the Ontario Long Term Care Association, the Ontario Medical Association and the Ontario Ministry of Health and Long-Term Care.
Here is a condensed version of one of the examples used in the brochure:
A patient is sent by his family doctor to a laboratory for blood and urine testing. A geriatrician, a specialist whom the patient has been referred to by his family doctor, would like to obtain the results of those tests. He would also like to obtain a list of the patient's current prescriptions from the pharmacy where he fills all his prescriptions.Can the laboratory and pharmacy disclose this personal health information and can the geriatrician collect information based on assumed implied consent?
Yes. The laboratory, pharmacy and geriatrician may assume implied consent. The personal health information was received by the laboratory and pharmacy - and will be received by the geriatrician - for the purpose of providing health care to this patient.
"Personal health information may be shared within the circle of care - among health-care providers who are providing health care to a specific patient - but not outside that circle," stressed Commissioner Cavoukian. "Any sharing of personal health information with other health-care providers for purposes other than the provision of health care - or the sharing of personal health information with persons or organizations that are not health-care providers, such as insurers and employers - requires the express consent of the patient."
To see a copy of the brochure, visit http://www.ipc.on.ca/.
Wednesday, July 08, 2009
Trojan software compromises Alberta's electronic health record system
This is not good and should have been avoidable:
Commissioner urges vigilance in wake of computer virus outbreak at Alberta Health ServicesJuly 8, 2009
The Office of the Information and Privacy Commissioner has been notified by Alberta Health Services that a virus was present on the Alberta Health Services network in Edmonton. The virus impacted the network and Netcare, Alberta’s electronic health record, before it was discovered and removed.
The virus is a new variant of a Trojan horse program called coreflood and is designed to steal data from an infected computer and send it to a server controlled by a hacker. Coreflood captures passwords and data the user of the computer accesses. The virus was active from May 15 to 29 before it was detected and removed.
AHS identified two groups who are potentially at risk. Patients whose health information was accessed in Netcare through an infected computer and employees who accessed personal banking and email accounts from work using an infected computer. AHS is sending letters to the 11,582 patients whose information may have been exposed and has notified all affected employees.
Commissioner Frank Work says this does not necessarily mean Netcare itself has been infected by the virus; rather the virus may have captured patient data accessed through Netcare from an infected computer and sent it to an external party. “While it appears the risk to patients is low, viruses don’t discriminate and this is an important message to everyone about the need to run up to date anti virus software”, says the Commissioner.
The Commissioner’s office is investigating. In the meantime Work is expecting a full forensic report from Alberta Health Services on how this happened and what steps will be taken to prevent future breaches. Work says “AHS responded quickly when the virus was detected and that steps have been taken to notify users and patients with advice on what they should do to protect personal and health information”.
Friday, June 26, 2009
Alberta Commissioner fed up with unencrypted laptops
I can just imagine Frank Work's expression of exaperation in uttering the quote attributed to him in the following media release:
Level of security on stolen laptops simply not acceptable, says CommissionerJune 24, 2009
Level of security on stolen laptops simply not acceptable, says Commissioner
Information and Privacy Commissioner Frank Work is perplexed with news that two laptops containing health information stolen from Alberta Health Services (AHS) were not encrypted. “This is shocking for me...I don’t know what we have to do to drive this message home” says the Commissioner. “The standard in Alberta for storing personal or health information on portable devices is encryption. I can’t accept anything less. This is highly sensitive information and an issue of public trust. How can the public have faith in public bodies if they can’t provide security for personal information?”
Two laptops with health information of more than 300,000 people were stolen earlier this month. Information on the laptops included names, birth dates, personal health numbers and lab test results for communicable and reportable diseases.
The Commissioner says AHS did have layers of protection on those laptops, but the final layer simply was not there, and while the risk might be low, there is still a risk, “A person with motivation and sufficient skills could still access the information. Risk remains without properly implemented encryption. The measures they had in place are better than nothing, but not good enough.”
Works says, “Encryption technology is readily available, and if you are going to store personal information on a portable device, you had better make sure that encrypting that information is a priority, a part of your business model, and an everyday occurrence, like making sure the door is locked before you leave home.”
The Office of the Information and Privacy Commissioner has launched an investigation into this matter. Work says, “We will be working very closely with AHS to make sure they understand their obligations and to ensure that steps are taken to prevent this from happening again”.
I pity the (next) fool who loses an unencrypted laptop in Alberta.
Wednesday, May 13, 2009
Ontario Commissioner releases 2008 annual report and prepares for battle with Victoria University
The Information and Privacy Commissioner of Ontario has released her 2008 Annual Report, which makes broad recommendations for changes to the laws in Ontario and calls for the adoption of better practices:
IPC - Office of the Information and Privacy Commissioner/Ontario Commissioner Cavoukian lays out path for increased privacy protection & accountability – doing battle with Victoria UniversityCommissioner Cavoukian lays out path for increased privacy protection & accountability – doing battle with Victoria University
TORONTO – Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, is urging the provincial government to make specific legislative changes and take additional steps to protect privacy and ensure greater accountability.
In her 2008 Annual Report, released today, the Commissioner cites how her sweeping recommendations from her seminal investigation into a privacy complaint against the video surveillance program of Toronto’s mass transit system have been hailed in the United States as a model that cities around the world can build upon, and in Canada as “a road map for the most privacy-protective approach to CCTV.”
Among the recommendations she is making in her 2008 Annual Report, are:
Amend the law to make it clear that all Ontario universities fall under FIPPA
The Commissioner is calling on the government to fix a potential omission in the Freedom of Information and Protection of Privacy Act related to which organizations are covered under the Act.
Under amendments that came into force in mid-2006, publicly funded universities were brought under the Act. Due to the wording of an amended regulation, the University of Toronto, in response to a freedom of information request received under the Act, argued that Victoria University, an affiliated university, was not covered under the Act.
“An IPC adjudicator determined that, based on the financial and academic relationship between the two, Victoria was part of the University of Toronto for the purposes of FIPPA,” said Commissioner Cavoukian. “The University of Toronto has not accepted our ruling and is now appealing it – having it ‘judicially reviewed.’ They have chosen to fight openness and transparency, expending valuable public resources in the process. We find this completely unacceptable, which is why we are prepared to go to battle on this issue, in our effort to defend public sector accountability. We should add that this is contrary to our normal process of working co-operatively with organizations to mediate appeals and resolve complaints informally. In this case, however, the university, having thrown down the gauntlet, left us no choice but to respond in kind and aggressively defend our Order in the courts.”
There are more than 20 other affiliated universities in Ontario that may have a different relationship with the university they are affiliated with, says Commissioner Cavoukian. “I am calling on the government to ensure that all affiliated universities are covered by the Act. There is no rationale for these publicly funded institutions to fall outside of the law.”
The government needs to set specific fees for requests for patients’ health records under PHIPA
The IPC has received a number of inquiries and formal complaints from the public regarding the fees charged by some health information custodians when patients ask for copies of their own medical records.
Ontario’s Personal Health Information Protection Act (PHIPA) provides that when an individual seeks copies of his or her own personal health information, the fee charged by a health information custodian shall not exceed the amount set out in the regulation under the Act or the amount of reasonable cost recovery, if no amount is provided in the regulation. No such regulation has been passed.
Commissioner Cavoukian, in her August 2008 submission to the Standing Committee on Social Policy, which conducted a statutorily mandated review of PHIPA, again raised the need for a fee regulation. Two months later, in its report to the Speaker of the Assembly, the Standing Committee indicated its agreement with the Commissioner’s recommendation, stating that the determination of what constitutes “reasonable cost recovery” should not be left to the discretion of individual health information custodians and their agents.
“The Minister of Health,” said the Commissioner, “should make the creation of a fee regulation a priority.”
Ontario’s enhanced driver’s licence (EDL) needs a higher level of protection
The Commissioner is calling on the Minister of Transportation to provide better privacy protection for the EDL. “The radio frequency identity (RFID) tag that will be embedded into the card can be read not only by authorized readers, but just as easily by unauthorized readers,” said Commissioner Cavoukian. “Over time, these tags could be used to track or covertly survey one’s activities and movements.”
The electronically opaque protective sleeve that will come with these enhanced licences – which drivers without a passport will need as of June 1 to drive across the U.S. border – “only provides protection when the driver’s licence is actually encased in the sleeve,” said Commissioner Cavoukian. “But individuals who voluntarily sign up for these enhanced driver’s licences will not only be required to produce them at the border, but will still have to do so in other circumstances where a driver’s licence or ID card is presently required, including in many commercial contexts. The reality is that most drivers will abandon the use of the protective sleeve.”
“An on-off device on the RFID tag would provide greatly enhanced protection,” said the Commissioner. “The default position would be off since drivers don’t need the RFID to be ‘on’ when routinely taking their licence in and out of their wallets, unless they are actually crossing the border. I am urging the government to pursue adding a privacy-enhancing on-off device for RFID tags embedded in the EDLs.”
FOI REQUESTS
The number of freedom of information requests filed across Ontario in 2008 was the second highest ever – 37, 933, trailing only the 38,584 filed in 2007. Nearly two-thirds of the 2008 requests were filed under the Municipal Freedom of Information and Protection of Privacy Act (24,482), to such organizations as police service boards, municipalities, school boards and health boards. In fact, there were more requests filed to police service boards (13,598) than there were for all organizations under the provincial Act (13,451).
FOI requests may be filed for either personal information or general records (which encompasses all information held by government organizations except personal information). And, the majority of requests each year have been for general records. In 2008 – for the second year in a row – the average cost of obtaining general records under the provincial Act dropped – this time, to $42.74 from $50.54, continuing a reversal of what had been a lengthy trend. The average cost of general records under the municipal Act was $23.54, up only a nickel from the previous year.
Among other key statistics released by the Commissioner:
· Since the IPC began emphasizing in 1999 the importance of quickly responding to FOI requests, in compliance with the response requirements set out in the Acts, the provincial 30-day compliance rate has more than doubled, climbing to 85 per cent from 42 per cent. After achieving a record 30-day compliance rate in 2007 of 84.4 per cent, provincial ministries, agencies and other provincial institutions promptly broke the record in 2008, producing an overall 30-day compliance rate of 85 per cent.
· The Commissioner also reported that her office received 507 complaints in 2008 under Ontario’s three privacy Acts, and 919 appeals from requesters who were not satisfied with the response they received after filing an FOI request with a provincial or local government organization. Overall, the IPC resolved 966 appeals and 534 complaints in 2008. The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly, and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act, as well as the Personal Health Information Protection Act, which applies to both public and private sector health information custodians, in addition to educating the public about access and privacy issues.
Wednesday, January 28, 2009
Time for a privacy check-up
Today's Halifax Chronicle Herald has an opinion piece by Bob Doherty, the former head of privacy and access with the Nova Scotia Department of Justice:
Time for a privacy check-up - Nova Scotia News - TheChronicleHerald.caTime for a privacy check-up Laws need to be understandable, consistent
By BOB DOHERTY Wed. Jan 28 - 7:25 AM
With today being International Data Privacy Day, it is useful to see just how far society in Atlantic Canada has come in dealing with the complex issue of privacy since the last, almost unnoticed, celebration of this event locally a year ago.
Positive signs are emerging in the efforts to create more privacy consciousness in the region. Dalhousie University hosted a privacy event yesterday, and there have also been other events over the past 12 months. Most recently, CBC Radio’s Maritime Noon hosted a privacy "phone in" with Kostas Halavrezos and local privacy lawyer David Fraser. All of these events and others point to an increase in privacy consciousness in the past year.
However, as one listened to the calls that were received on the CBC Radio privacy segment, it became apparent there was substantial confusion as to what privacy choices, rights, obligations and remedies exist in a variety of settings. A good part of this confusion would seem to arise from a misunderstanding as to what "privacy" is.
In a nutshell, privacy is about legal choices, rights, obligations and remedies for the collection, use and disclosure of non-public, usually recorded, information about us, as individuals, in certain public and private-sector situations. However, even further than this, there are usually only four categories of personal information about us in which privacy choices, rights and obligations may or may not exist:
•Our secrets: This includes information about our personal or work lives, such as employment record, sexual orientation, personal preferences, digital photos or video recordings, records of library loans, video rentals, etc.
•Our identity: Such things as our social insurance number, health card number, blood type, society membership cards, etc., fall into this category.
•Our health: This includes our medical and psychological history.
•Our finances: Examples are our financial and credit status, bank account information, credit card identification and usage history, etc.
While some of the information in all categories may not be considered particularly sensitive and of little privacy interest to some individuals, for others this information is very personal and its disclosure would be viewed as highly privacy-invasive. Regardless of the sensitivity, there is always the potential for public embarrassment, denial of services or financial loss if the information is disclosed, or disseminated widely or indiscriminately.
However, while all of these categories involve our privacy choices, not all of the situations in these categories are subject to privacy laws.
All of this information we willingly (or reluctantly) give to selected individuals or organizations, either as a matter of trust, social interaction, contract or as required by law. However, there seems to be confusion among the general population on choices, rights, obligations and remedies (if any) in many of these situations where our personal information is involved.
In many cases, as Esther Dyson points out in a September 2008 Scientific American article entitled Reflections on Privacy 2.0, "People often have a better bargaining position than they realize, and are gaining the tools and knowledge to exploit that position."
So, how do we lessen that confusion and achieve that level of knowledge and understanding? For those who have tried to navigate the patchwork landscape of privacy laws in Canada, the answer should be obvious. Current laws need to be made more understandable to the average person and consistent across Canada. Penalties should be clear and significant for egregious privacy breaches, and oversight mechanisms must be provided with broad educational mandates and the budgets to implement them.
At the federal level, this would include passage of the proposed "identity theft" amendments to the Criminal Code, and development of clarity amendments to federal public and private-sector privacy legislation.
In Nova Scotia, this would mean proclamation of the recently passed Privacy Review Officer Act. It would also mean a provincial health information law, along with legislation to deal with privacy in the workplace and electronic surveillance (e.g. video, digital cameras including cellphone cameras, and computers).
If these changes, along with increased privacy education about choices, rights and obligations regarding our personal information in the schools, the workplace and the community are implemented, perhaps at this time next year we will not only have an increased level of privacy consciousness – we will also have a better understanding and the capacity to engage in a more informed debate on the future directions privacy-protection policy and laws should take.
Bob Doherty is a Halifax access and privacy consultant who teaches and works with access and privacy law courses in Nova Scotia and Alberta.
I think that Bob and I may think about privacy a bit differently. I probably wouldn't have used the categories he did. To me, words like "non-public" aren't very helpful and everything may fit into the category of "secrets". It just depends on how much an individual decides to disclose and how they propose to disclose it. Public information can be subject to privacy rights, as is the case in PIPEDA where publicly available information is still subject to legal limitations. But no matter what, the public should be educated about privacy rights and should have a say in shaping privacy laws.
Friday, December 19, 2008
Privacy and internet log files
Just posted on slaw.ca:
In the past two weeks, the New York Times reported that Microsoft has made a minor concession with European privacy authorities about how long it retains its log files. A committee of European privacy regulators had asked that these logs be kept for only six months. Microsoft's response? Eighteen months.Yahoo used to keep them for thirteen months and just announced it will cut retention to 90 days. Google keeps them for nine.
The privacy implictions of these innocuous log files have been underestimated, particularly when you think about the fulsome picture of your private life that companies like Google may be assembling about you. The information in an ordinary web-server log usually contains the just a tid-bit of information. One "hit" on a website may look like this (but all on one line):
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 "http://www.example.com/start.html" "Mozilla/4.08 [en] (Win98; I ;Nav)"The first bundle of numbers is the IP address of the computer that requested a particular web-page. "Frank" refers to a userid, which is usually not eabled. The next field is the date" Following that, and usually preceded by "GET" is the command your web-browser sent to the server. The next bits are the status code returned by the server and then the size of the entity requested. Next is something called a "referer" (mis-spelled) , followed by details about your browser.
Since many people often share the same IP address (it could be one IP for an entire company or just a group of people in a house using the same internet connection), some have argued it is not personal information and a log-file doesn't contain personal information. The problem is that even if an IP address is not directly connected to one individual, one can do some easy analysis to make the connections. After AOL released supposedly de-identified search logs to researchers, an intrepid reporter was able to track down at least one of the users who had some very personal health-related searches in the logs (see: Users identifiable by AOL search data).
What's additionally troubling from a privacy point of view is that the large inernet companies, like Google, Yahoo and Microsoft, don't just have your search queries. Increasingly, they have a huge trove of data sources in their logs.
Take Google, for example. Google has their famous Google search. They also have GMail, Google Analytics, Google AdSense, Google Documents, Google Toolbar and more. Each time you "hit" one of their sites, you're in their logs. Most internet users hit Google's logs dozens of times a day and on many of those occasions aren't even aware that they're using a Google service. Google has what is probably the most popular and widely used network of online advertising: AdSense. Each time you go to a website that features Google's ads, your computer sends a request to Google's servers and that "hit" goes into their logs, along with the information about what site you were visiting, when you visited and what ad was served. If you click on the ad, even more information is collected and logged. But even if you don't visit a site with Google's ads, there's a very good chance that the webmaster is using Google Analytics to find out about useage of his or her site. (Full disclosure: I use Google Analytics for my site at www.privacylawyer.ca.) I should also note that Yahoo! and MSN also have advertising networks, which collect the same sort of information.What this means is that Google, Yahoo and Microsoft register in their logs a significant portion of your usage of the internet.
And if you have a Google, Yahoo! or MSN account, that hit can be connected to your account details, includig your name.
I don't think it's too far fetched to think of a day when it will become standard for all investigations involving the internet to inlcude a warrant served on Google or Yahoo! or Microsoft for all logs related to a particular user or IP address or both.
Next week, I'll discuss efforts being made by governments and law enforcement to make log rentention mandatory.
Thursday, December 04, 2008
Federal Commissioner tables annual report on Privacy Act
The Federal Privacy Commissioner has today tabled her annual report on the Privacy Act. And she isn't happy with how certain government departments handle personal information:
News Release: Privacy issues given short shrift in passport operations and tribunal Internet postings, Commissioner says (December 4, 2008) - Privacy Commissioner of CanadaNews Release
Privacy Commissioner’s 2007-2008 Annual Report to Parliament on the Privacy Act outlines audit of Passport Canada; investigative findings regarding online posting of personal information by administrative and quasi-judicial bodies
Ottawa, December 4, 2008 — Privacy concerns are not given enough weight in the day-to-day operations of a number of federal government institutions, the Privacy Commissioner of Canada says.
The Commissioner’s latest Annual Report to Parliament on the Privacy Act, which was tabled today, describes how privacy and security problems in Canada’s passport operations added up to a significant risk for Canadians applying for passports.
The annual report also highlights the Commissioner’s concerns that the online posting of personal information by some federal administrative and quasi-judicial bodies does not strike the right balance between the public interest and privacy rights.
Privacy Commissioner Jennifer Stoddart says her Office’s audit of passport operations raised a broad range of concerns about how personal information was handled.
“Given the high sensitivity of the personal information involved in processing passport applications, better privacy and security measures are needed,” says Commissioner Stoddart. “Unfortunately, the shortcomings we found raised the risk that Canadians’ information could wind up in the wrong hands.”
The audit found that passport applications and supporting documents were kept in clear plastic bags on open shelves; documents containing personal information were sometimes tossed into regular garbage and recycling bins; and some documents that were shredded could be easily put back together. Meanwhile, computer systems allowed too many employees to access passport files. The investigation also concluded there was inadequate privacy training for employees – an issue which is a concern across government institutions.The Commissioner is pleased that Passport Canada and the Department of Foreign Affairs and International Trade have indicated they will act on her recommendations and improve privacy and security safeguards.
The annual report also outlines the Commissioner’s concerns about the online posting of federal administrative and quasi-judicial bodies’ decisions which contain highly sensitive personal information.
The OPC investigated 23 complaints regarding the disclosure of personal information on the Internet by seven bodies created by Parliament to adjudicate disputes. The complaints involved: the Canada Appeals Office on Occupational Health and Safety; the Military Police Complaints Commission; the Pension Appeals Board; the Public Service Commission; the Public Service Staff Relations Board; the RCMP Adjudication Board; and Umpire Benefits decisions.
Decisions of these bodies often include highly personal information such as an individual’s financial status, health and personal history.
“This is private information. Law-abiding citizens fighting for a government benefit should not be forced to expose the intimate details of their lives to everyone with an Internet connection,” says Commissioner Stoddart.
The Commissioner agreed that the “open court” principle is an important part of Canada’s legal system, but noted there is a crucial distinction between the courts and the bodies the OPC investigated: The Privacy Act does not apply to the courts, but it does apply to many administrative tribunals and quasi-judicial bodies.
In order to respect their obligations under the Privacy Act, the Commissioner recommended, among other steps, that the bodies reasonably depersonalize decisions posted online by replacing names with random initials. However, the Commissioner noted that, where there is a genuine and compelling public interest in such a disclosure, these bodies have the legal authority under the Act to exercise discretion in disclosing personal information.
Service Canada and Human Resources Development Canada agreed to fully implement the OPC’s recommendations. Other bodies took important but incomplete steps towards compliance with the Commissioner’s recommendations.
Currently, unlike its private-sector counterpart, the Privacy Act does not empower the Privacy Commissioner to enforce her recommendations through legal actions. The OPC has recommended an overhaul of the legislation to address this and other concerns.
The OPC has also asked Treasury Board Secretariat to develop centralized policy guidance on the online posting of personal information by administrative and quasi-judicial bodies.The annual report outlines key activities undertaken by the OPC during 2007-2008, including audits, investigations and policy work. The report notes that new complaints against government institutions dropped slightly to 759 in 2007-2008 from 839 the previous year.
The report is available on the OPC website.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.
Tuesday, October 07, 2008
Trend to privacy seen as hurting research
An article in the September 24, 2008 National Post cites a new journal article that concludes that privacy laws are hampering important health research. I haven't read the journal article yet, but plan to. While this argument is not new, I don't agree with the conclusions. I have served on Research Ethics Boards and on a special privacy committees of an REB and I haven't seen that happen.
One researcher is quoted as saying that health research should be exempted from privacy laws, which is, in my view, a very bad idea. Perhaps some tweaking is called for, but a blanket exemption would be a very bad idea and may lead to a backlash against research using identifiable personal information.
Trend to privacy seen as hurting research
Many scientists deprived access to patient data
Tom Blackwell , National Post
Published: Wednesday, September 24, 2008
As Canadians place more and more emphasis on safeguarding personal privacy, the trend is taking an inadvertent toll on medical research, often impeding access to intimate but crucial health information, scientists are warning.
Privacy laws not only make public-health studies more time-consuming and costly, they can also significantly skew research results, argue University of British Columbia epidemiologists in a recent journal article.
"I think it's something that everyone should consider because good research is basically how we make advances in public health," said Anne Harris, lead author of the paper. "We need to be able to trust the results we get."
The paper in the Canadian Journal of Public Health suggests that medical research be exempted in some way from privacy rules.
A leading Ontario scientist echoed the B. C. group's concerns: "A lot of the advances we have had in the past might not happen because of privacy legislation and the way it's interpreted," said Dr. Jack Tu, a cardiac health researcher with a University of Toronto-affiliated institute.
Thursday, July 31, 2008
Nova Scotia begins consultation on Personal Health Information legislation
The Province of Nova Scotia has for some time been consulting with inside stakeholders on the development of health information legislation. It has just launched a consultation, seeking input from interested parties. I haven't had a chance to look at the discussion paper yet, but I understand they've been using Ontario's PHIPA as the model:
Personal Health Information Legislation for Nova Scotia Department of Health Government of Nova ScotiaFor the past several years the Department of Health has been working with health sector partners on initiatives related to the protection and use of personal health information. As part of the evolution of standards, policy and law on these issues, .the Department is developing a Personal Health Information Act for the province.
The Department is pleased to present the Discussion Paper Personal Health Information Legislation for Nova Scotia (PDF: 70p). Throughout the Discussion Paper, key issues related to the collection, use, disclosure, retention and destruction of personal health information are discussed, and legislative provisions for a Personal Health Information Act are proposed.
Public and stakeholder input to this legislation is critical to its success. Any feedback on the issues raised in the paper, and on any issues related to the management of personal health information in Nova Scotia can be submitted through the online questionnaire, by e-mail to mailto:phia@gov.ns.caor by regular mail to the Personal Health Information Project, Department of Health, 1690 Hollis Street, P.O. Box 488 , Halifax , Nova Scotia , B3J 2R8
The deadline for comments is November 1, 2008.
- Personal Health Information Legislation for Nova Scotia Discussion Paper (PDF:70p)
- Frequently Asked Questions - Foire aux questions (PDF)
- Questionnaire (MS Word) Questionnaire French (MS Word)
- Personal Health Information Legislation Online Questionnaire
Subscribe to:
Posts (Atom)